CVE-2022-3287: 
NixOS vulnerability analysis and mitigation

CVE-2022-3287 is a security vulnerability discovered in the fwupd package, which provides a service that allows session software to update device firmware. The vulnerability was identified when the redfish plugin saved an auto-generated password to /etc/fwupd/redfish.conf without proper restrictions, making it world-readable (Debian Security).

The vulnerability occurs when creating an OPERATOR user account on the BMC (Baseboard Management Controller). The redfish plugin saves the auto-generated password to /etc/fwupd/redfish.conf with incorrect file permissions, allowing any user on the system to read the configuration file. The issue stems from the use of gfileset_contents() with a hardcoded mode of 0666, which overwrites the intended secure permissions (GitHub Commit).

The vulnerability allows unauthorized users on the system to read sensitive configuration files containing passwords, potentially compromising system security. The vulnerability has been assigned a CVSS v3 score of 5.5, indicating a moderate severity level (Red Hat CVE).

The issue has been fixed in newer versions of the fwupd package. The fix involves using gfilesetcontentsfull() with the correct mode (0660) for newer GLib versions and providing a fallback with the same semantics for older versions. Red Hat has released security updates for affected versions, including fwupd version 1.7.8-2 for various architectures (Red Hat Advisory).