CVE-2024-2905

Отчет

This vulnerability lets local, unconfined applications read the hashed password for all users of the system from those files. To gain further access to the system, those hashed passwords need to be brute-forced to discover the real passwords that may be used to authenticate as a more privileged user on the system, for example over SSH. On systems with SELinux enabled and in enforcing mode, access to those files is limited to unconfined (usually interactive) users, unconfined systemd services and privileged containers. Confined daemons, users and containers are not able to access them. Only OpenShift clusters installed on OCP version 4.14 and later are affected. OpenShift Clusters installed on previous OCP releases or updated to 4.14 and later are not affected, because /etc/shadow is usually “locally modified” and the local version remains. Clusters with no passwords set for any users (i.e. only SSH keys were used; the OpenShift default) are not impacted by this vulnerability even though it is present on the node.

Меры по смягчению последствий

If you need to apply the fix immediately, you can run the following commands, using credentials that have administrator access to an OpenShift cluster:

List current permissions for all nodes

for node in $( oc get nodes -oname) ; do echo $node ; oc debug $node -- bash -c "ls -alhZ /host/etc/shadow"; done

Set correct permissions

for node in $( oc get nodes -oname) ; do echo $node ; oc debug $node -- chmod --verbose 0000 /host/etc/shadow /host/etc/gshadow /host/etc/shadow- /host/etc/gshadow-; done As a precaution, we recommend rotating all user credentials stored in those files.