Issue #1227
closed
[CVE-2015-5263] pulp-consumer does not check SSL certificate signatures when retrieving RSA key
Status:
CLOSED - CURRENTRELEASE
Description
A security flaw (CVE-2015-5263) was discovered in Pulp's consumer
management system. When the pulp-consumer CLI is used to register to the
Pulp server, it downloads a public key from the Pulp server and stores
it locally. Later when the Pulp server sends messages to the client via
a message broker to instruct it to perform commands, it will use the
corresponding private key to sign the messages. The client checks the
signatures before executing the instructions to ensure that the messages
came from the Pulp server and not from an attacker.
Versions of pulp-consumer-client between 2.4.0 and 2.6.3 do not check
the server's TLS certificate signatures when retrieving the server's
public key upon registration:
https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103
This allows a man in the middle to inject their own message signing
key and to then perform administrative actions on the machine, if they
are able to send messages through the message broker.
Austin Macdonald fixed this issue in this commit by using our
pulp.bindings library as the rest of our CLI does:
https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754
Users who do not use pulp-consumer are not affected by this issue.
- Subject changed from pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f21+) to pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f22+)
- Description updated (diff)
- Priority changed from High to Normal
- Severity changed from 3. High to 1. Low
- OS changed from Fedora 21 to Fedora 22
This only affects pulp-consumer on Fedora 22 at this point, which is unlikely to impact real-world users. Since we are re-thinking consumer management entirely, pulp-consumer itself may not last long enough to see this bug impact the OSs we usually see being managed (rhel and centos). In the mean time, we'll leave the priority on the low side.
- Private changed from No to Yes
- Subject changed from pulp-consumer cannot work with self-signed certs on python 2.7.9+ (ie: f22+) to [CVE-2015-5263] pulp-consumer does not check SSL certificate signatures when retrieving RSA key
- Description updated (diff)
- Status changed from NEW to CLOSED - CURRENTRELEASE
- Assignee set to amacdona@redhat.com
- Priority changed from Normal to Urgent
- Private changed from Yes to No
- Severity changed from 1. Low to 4. Urgent
- Version set to 2.4.0
- Platform Release set to 2.6.4
- OS deleted (
Fedora 22)
- Triaged changed from No to Yes
Also available in: Atom
PDF