EIQ-2019-0025



ID

EIQ-2019-0025

CVE

-

Description

Incorrect default permissions for the platform settings file

Date

13 Jun 2019

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.5.0

Assessment

The packaging process that produces install packages for EclecticIQ Platform takes care of, among other things, setting default file access rights and permissions.
The process sets incorrect permissions for the platform settings file: /etc/eclecticiq/platform_settings.py.

The current access level for the the platform settings file is 644 / rw-r--r--.
This enables anyone with SSH access to the server hosting the target platform instance to access the platform configuration settings that hold database credentials.

Mitigation

  • From release 2.5.0, the /etc/eclecticiq/platform_settings.py file and the corresponding symbolic link are assigned the following permissions: 640 / rw-r-----

  • From release 2.5.0, the /etc/eclecticiq/platform_settings.py file and the corresponding symbolic link are assigned the following user and group: root:eclecticiq

To manually set these values in earlier platform releases:

  • Log in to the platform with SSH, and then run the following commands:

    sudo chown root:eclecticiq /opt/eclecticiq/etc/eclecticiq/platform_settings.py
    sudo chown root:eclecticiq /etc/eclecticiq/platform_settings.py
    sudo chmod 640 /opt/eclecticiq/etc/eclecticiq/platform_settings.py
    sudo chmod 640 /etc/eclecticiq/platform_settings.py

Affected versions

2.4.0 and earlier.

Notes

For more information about the weakness, see CWE-276.

To successfully execute commands in the command line or in the terminal, you may require root-level access rights.

  • Obtain root-level access by running sudo -i:

    # Root-access login shell
    sudo -i


    To access resources as a different user than the currently active one, append -u:

    # Grant the currently logged in user root-level access
    sudo -i
     
    # Grant root-level access to a different user
    sudo -i -u ${user_name}
     
    # Run a command as a different user, with root-level access
    sudo -i -u ${user_name} ${command} ${options}

< Back to all security issues and mitigation actions


In release notes 2.5.0