Project

Profile

Help

Issue #1827

CVE-2016-3106: Insecure creation of temporary directory when generating new CA key

Added by rbarlow over 3 years ago. Updated 7 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
2.8.3
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

The pulp-gen-ca-certificate script created
the Pulp CA certificate and key in /tmp/$RANDOM. This led to about
32,768 possible directories. Florian Weimer and Sander Bos
notified the Pulp team that if a user happened to own a directory
that the script chose, the user would be able to read the
certificate authority certificate. Additionally, both security
researchers concluded that there is a race condition between
creating the secure folder and the later chmod, during which an
attacker could read and hold open the inode for the $TMP
directory. This would allow an attacker to read the key that is
later written.

Sander Bos additionally concluded that an attacker could create a
DoS attack two ways: 0) By creating a symlink within the $TMP
directory that points at an important system resource, such as
/etc/passwd, or 1) By creating $TMP itself as a symlink to /,
which would cause / to be chmod'd to 0700 later in the script.

The fix adjusts the script to use mktemp -d to ensure that a
unique and safe directory is used to create the Pulp CA
certificate. Additionally, the script uses set -e so that it will
halt if there are errors.

Thanks to Florian Weimer and to Sander Bos for independently
notifying Pulp of the issue and for suggesting the needed changes
to fix it. Thanks to Adam Mariš for advising the Pulp team through
the fix. The Pulp team is thankful to the security community for
their thoughtful analysis, and for taking the time to report these
issues.

Associated revisions

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision 0b23e8f1 View on GitHub
Added by rbarlow over 3 years ago

Safely create the dir in which the CA is created (CVE-2016-3106).

Prior to this commit, the pulp-gen-ca-certificate script created
the Pulp CA certificate and key in /tmp/$RANDOM. This led to about
32,768 possible directories. Florian Weimer and Sander Bos
notified the Pulp team that if a user happened to own a directory
that the script chose, the user would be able to read the
certificate authority certificate. Additionally, both security
researchers concluded that there is a race condition between
creating the secure folder and the later chmod, during which an
attacker could read and hold open the inode for the $TMP
directory. This would allow an attacker to read the key that is
later written.

Sander Bos additionally concluded that an attacker could create a
DoS attack two ways: 0) By creating a symlink within the $TMP
directory that points at an important system resource, such as
/etc/passwd, or 1) By creating $TMP itself as a symlink to /,
which would cause / to be chmod'd to 0700 later in the script.

This commit adjusts the script to use mktemp -d to ensure that a
unique and safe directory is used to create the Pulp CA
certificate. Additionally, the script uses set -e so that it will
halt if there are errors.

Thanks to Florian Weimer and to Sander Bos for independently
notifying Pulp of the issue and for suggesting the needed changes
to fix it. Thanks to Adam Mariš for advising the Pulp team through
the fix. The Pulp team is thankful to the security community for
their thoughtful analysis, and for taking the time to report these
issues.

https://pulp.plan.io/issues/1827

fixes #1827

Revision 0b23e8f1 View on GitHub
Added by rbarlow over 3 years ago

Safely create the dir in which the CA is created (CVE-2016-3106).

Prior to this commit, the pulp-gen-ca-certificate script created
the Pulp CA certificate and key in /tmp/$RANDOM. This led to about
32,768 possible directories. Florian Weimer and Sander Bos
notified the Pulp team that if a user happened to own a directory
that the script chose, the user would be able to read the
certificate authority certificate. Additionally, both security
researchers concluded that there is a race condition between
creating the secure folder and the later chmod, during which an
attacker could read and hold open the inode for the $TMP
directory. This would allow an attacker to read the key that is
later written.

Sander Bos additionally concluded that an attacker could create a
DoS attack two ways: 0) By creating a symlink within the $TMP
directory that points at an important system resource, such as
/etc/passwd, or 1) By creating $TMP itself as a symlink to /,
which would cause / to be chmod'd to 0700 later in the script.

This commit adjusts the script to use mktemp -d to ensure that a
unique and safe directory is used to create the Pulp CA
certificate. Additionally, the script uses set -e so that it will
halt if there are errors.

Thanks to Florian Weimer and to Sander Bos for independently
notifying Pulp of the issue and for suggesting the needed changes
to fix it. Thanks to Adam Mariš for advising the Pulp team through
the fix. The Pulp team is thankful to the security community for
their thoughtful analysis, and for taking the time to report these
issues.

https://pulp.plan.io/issues/1827

fixes #1827

Revision 0b23e8f1 View on GitHub
Added by rbarlow over 3 years ago

Safely create the dir in which the CA is created (CVE-2016-3106).

Prior to this commit, the pulp-gen-ca-certificate script created
the Pulp CA certificate and key in /tmp/$RANDOM. This led to about
32,768 possible directories. Florian Weimer and Sander Bos
notified the Pulp team that if a user happened to own a directory
that the script chose, the user would be able to read the
certificate authority certificate. Additionally, both security
researchers concluded that there is a race condition between
creating the secure folder and the later chmod, during which an
attacker could read and hold open the inode for the $TMP
directory. This would allow an attacker to read the key that is
later written.

Sander Bos additionally concluded that an attacker could create a
DoS attack two ways: 0) By creating a symlink within the $TMP
directory that points at an important system resource, such as
/etc/passwd, or 1) By creating $TMP itself as a symlink to /,
which would cause / to be chmod'd to 0700 later in the script.

This commit adjusts the script to use mktemp -d to ensure that a
unique and safe directory is used to create the Pulp CA
certificate. Additionally, the script uses set -e so that it will
halt if there are errors.

Thanks to Florian Weimer and to Sander Bos for independently
notifying Pulp of the issue and for suggesting the needed changes
to fix it. Thanks to Adam Mariš for advising the Pulp team through
the fix. The Pulp team is thankful to the security community for
their thoughtful analysis, and for taking the time to report these
issues.

https://pulp.plan.io/issues/1827

fixes #1827

History

#1 Updated by rbarlow over 3 years ago

  • Subject changed from reserved to CVE-2016-3106: Insecure creation of temporary directory when generating new CA key
  • Status changed from NEW to ASSIGNED
  • Assignee set to rbarlow
  • Private changed from Yes to No
  • Triaged changed from No to Yes

#2 Updated by rbarlow over 3 years ago

  • Description updated (diff)

#3 Updated by rbarlow over 3 years ago

  • Status changed from ASSIGNED to POST
  • Platform Release set to 2.8.3

#5 Updated by rbarlow over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#6 Updated by semyers over 3 years ago

  • Status changed from MODIFIED to ON_QA

#7 Updated by semyers over 3 years ago

  • Status changed from ON_QA to CLOSED - CURRENTRELEASE

#8 Updated by bmbouter 7 months ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF