Due to a bug in rpm-ostree, the /etc/shadow, /etc/shadow-, /etc/gshadow and /etc/gshadow-
files in Fedora CoreOS have the world-readable bit set.
== Affected versions ==
All Fedora CoreOS nodes installed starting from the following versions are impacted:
- stable: 38.20230902.3.0
- testing: 38.20230902.2.1
- next: 38.20230902.1.1
This only impacts new installations and not updated systems thus systems installed from
versions before those releases are not impacted.
This only impacts systems where a password is set (notably for the 'core' and
'root' users). Systems where only SSH keys were used are not impacted by this
vulnerability even though it is present on the node.
On systems with SELinux enabled and in enforcing mode, access to those files is limited to
unconfined (usually interactive) users, unconfined systemd services and privileged
containers. Confined daemons, users and containers are not able to access them.
== Fix ==
The following Fedora CoreOS versions fix the issue and include a systemd unit to fix
existing systems on update:
- stable: 39.20240322.3.1
- testing: 39.20240407.2.0
- next: 40.20240408.1.0
Systems with automatic updates enabled will automatically get the update starting on
2024-04-10 14:00 UTC.
To immediately fix existing systems, you can run the following command as root:
chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow-
As a precaution, we recommend rotating all user credentials stored in those files.
== References ==
GitHub Security Advisory:
https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Red Hat Security Advisory:
https://access.redhat.com/security/cve/CVE-2024-2905
Fedora CoreOS issue:
https://github.com/coreos/fedora-coreos-tracker/issues/1705