Project

Profile

Help

Issue #1227

[CVE-2015-5263] pulp-consumer does not check SSL certificate signatures when retrieving RSA key

Added by bmbouter about 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
4. Urgent
Version:
2.4.0
Platform Release:
2.6.4
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

A security flaw (CVE-2015-5263) was discovered in Pulp's consumer
management system. When the pulp-consumer CLI is used to register to the
Pulp server, it downloads a public key from the Pulp server and stores
it locally. Later when the Pulp server sends messages to the client via
a message broker to instruct it to perform commands, it will use the
corresponding private key to sign the messages. The client checks the
signatures before executing the instructions to ensure that the messages
came from the Pulp server and not from an attacker.

Versions of pulp-consumer-client between 2.4.0 and 2.6.3 do not check
the server's TLS certificate signatures when retrieving the server's
public key upon registration:

https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103

This allows a man in the middle to inject their own message signing
key and to then perform administrative actions on the machine, if they
are able to send messages through the message broker.

Austin Macdonald fixed this issue in this commit by using our
pulp.bindings library as the rest of our CLI does:

https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754

Users who do not use pulp-consumer are not affected by this issue.

History

#1 Updated by bmbouter about 6 years ago

  • Subject changed from pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f21+) to pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f22+)
  • Description updated (diff)

#2 Updated by mhrivnak about 6 years ago

  • Priority changed from High to Normal
  • Severity changed from 3. High to 1. Low
  • OS changed from Fedora 21 to Fedora 22

This only affects pulp-consumer on Fedora 22 at this point, which is unlikely to impact real-world users. Since we are re-thinking consumer management entirely, pulp-consumer itself may not last long enough to see this bug impact the OSs we usually see being managed (rhel and centos). In the mean time, we'll leave the priority on the low side.

#3 Updated by rbarlow about 6 years ago

  • Private changed from No to Yes

#4 Updated by rbarlow about 6 years ago

  • Subject changed from pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f22+) to [CVE-2015-5263] pulp-consumer does not check SSL certificate signatures when retrieving RSA key
  • Description updated (diff)
  • Status changed from NEW to CLOSED - CURRENTRELEASE
  • Assignee set to amacdona@redhat.com
  • Priority changed from Normal to Urgent
  • Private changed from Yes to No
  • Severity changed from 1. Low to 4. Urgent
  • Version set to 2.4.0
  • Platform Release set to 2.6.4
  • OS deleted (Fedora 22)
  • Triaged changed from No to Yes

#5 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF