Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #1227

closed

[CVE-2015-5263] pulp-consumer does not check SSL certificate signatures when retrieving RSA key

Added by bmbouter over 8 years ago. Updated about 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Assignee:
amacdona@redhat.com
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
4. Urgent
Version:
2.4.0
Platform Release:
2.6.4
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

A security flaw (CVE-2015-5263) was discovered in Pulp's consumer
management system. When the pulp-consumer CLI is used to register to the
Pulp server, it downloads a public key from the Pulp server and stores
it locally. Later when the Pulp server sends messages to the client via
a message broker to instruct it to perform commands, it will use the
corresponding private key to sign the messages. The client checks the
signatures before executing the instructions to ensure that the messages
came from the Pulp server and not from an attacker.

Versions of pulp-consumer-client between 2.4.0 and 2.6.3 do not check
the server's TLS certificate signatures when retrieving the server's
public key upon registration:

https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103

This allows a man in the middle to inject their own message signing
key and to then perform administrative actions on the machine, if they
are able to send messages through the message broker.

Austin Macdonald fixed this issue in this commit by using our
pulp.bindings library as the rest of our CLI does:

https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754

Users who do not use pulp-consumer are not affected by this issue.

Actions
Copy link
 #1

Updated by bmbouter over 8 years ago

  • Subject changed from pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f21+) to pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f22+)
  • Description updated (diff)
Actions
Copy link
 #2

Updated by mhrivnak over 8 years ago

  • Priority changed from High to Normal
  • Severity changed from 3. High to 1. Low
  • OS changed from Fedora 21 to Fedora 22

This only affects pulp-consumer on Fedora 22 at this point, which is unlikely to impact real-world users. Since we are re-thinking consumer management entirely, pulp-consumer itself may not last long enough to see this bug impact the OSs we usually see being managed (rhel and centos). In the mean time, we'll leave the priority on the low side.

Actions
Copy link
 #3

Updated by rbarlow over 8 years ago

  • Private changed from No to Yes
Actions
Copy link
 #4

Updated by rbarlow over 8 years ago

  • Subject changed from pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f22+) to [CVE-2015-5263] pulp-consumer does not check SSL certificate signatures when retrieving RSA key
  • Description updated (diff)
  • Status changed from NEW to CLOSED - CURRENTRELEASE
  • Assignee set to amacdona@redhat.com
  • Priority changed from Normal to Urgent
  • Private changed from Yes to No
  • Severity changed from 1. Low to 4. Urgent
  • Version set to 2.4.0
  • Platform Release set to 2.6.4
  • OS deleted (Fedora 22)
  • Triaged changed from No to Yes
Actions
Copy link
 #5

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added
Actions
Send by e-mail Copy link

Also available in: Atom PDF