Project

Profile

Help

Issue #1833

CVE-2016-3107: Node certificate containing private key stored in world-readable file

Added by rbarlow over 3 years ago. Updated 7 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
2.8.3
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

The Node certificate is installed
world-readable:

$ ls -lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

The fix adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group. It
also uses the -Z flag on the mv command to ensure the correct
SELinux context is used on the installed file.

Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.

Associated revisions

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision e152f9e1 View on GitHub
Added by rbarlow over 3 years ago

Add release notes for the upcoming 2.8.3.

re #1827
re #1830
re #1833
re #1834
re #1837

Credit goes to Jeremy Cline for writing the included release notes
for CVE-2016-3111 and CVE-2016-3112.

Revision 8571d9a0 View on GitHub
Added by rbarlow over 3 years ago

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107 =============

Install Node certificate with 640, apache owned (CVE-2016-3107).
Prior to this commit, the Node certificate had been installed
world-readable:
$ ls lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r-
. 1 root root 3.2K Apr 8 16:37 node.crt
This commit adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group.
Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.
https://pulp.plan.io/issues/1833
fixes #1833

CVE-2016-3108 =============

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).
Security researcher Sander Bos contacted the Pulp team to notify us
that the pulp-gen-nodes-certificate script suffers from the same
exploit as was found in CVE-2016-3095, namely that the $TMP
directory that contains the Nodes private key was created in an
unsafe manner. This commit contains his proposed fix to use
mktemp -d to safely create the directory.
Additionally, I added a set -e so that the script would exit upon
error.
Thanks to Sander Bos for taking the time to carefully inspect the
Pulp codebase and for writing a wonderfully detailed report
describing the issue and the fix for it.
Credit also goes to Jeremy Cline (Red Hat) for independently
reporting this issue.
https://pulp.plan.io/issues/1830
fixes #1830

Revision 8571d9a0 View on GitHub
Added by rbarlow over 3 years ago

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107 =============

Install Node certificate with 640, apache owned (CVE-2016-3107).
Prior to this commit, the Node certificate had been installed
world-readable:
$ ls lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r-
. 1 root root 3.2K Apr 8 16:37 node.crt
This commit adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group.
Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.
https://pulp.plan.io/issues/1833
fixes #1833

CVE-2016-3108 =============

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).
Security researcher Sander Bos contacted the Pulp team to notify us
that the pulp-gen-nodes-certificate script suffers from the same
exploit as was found in CVE-2016-3095, namely that the $TMP
directory that contains the Nodes private key was created in an
unsafe manner. This commit contains his proposed fix to use
mktemp -d to safely create the directory.
Additionally, I added a set -e so that the script would exit upon
error.
Thanks to Sander Bos for taking the time to carefully inspect the
Pulp codebase and for writing a wonderfully detailed report
describing the issue and the fix for it.
Credit also goes to Jeremy Cline (Red Hat) for independently
reporting this issue.
https://pulp.plan.io/issues/1830
fixes #1830

Revision 8571d9a0 View on GitHub
Added by rbarlow over 3 years ago

CVE-2016-3107 & CVE-2016-3108: Safely generate Nodes certificate.

This commit fixes two CVEs.

CVE-2016-3107 =============

Install Node certificate with 640, apache owned (CVE-2016-3107).
Prior to this commit, the Node certificate had been installed
world-readable:
$ ls lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r-
. 1 root root 3.2K Apr 8 16:37 node.crt
This commit adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group.
Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.
https://pulp.plan.io/issues/1833
fixes #1833

CVE-2016-3108 =============

Safely create tmp dir for the Nodes certificate (CVE-2016-3108).
Security researcher Sander Bos contacted the Pulp team to notify us
that the pulp-gen-nodes-certificate script suffers from the same
exploit as was found in CVE-2016-3095, namely that the $TMP
directory that contains the Nodes private key was created in an
unsafe manner. This commit contains his proposed fix to use
mktemp -d to safely create the directory.
Additionally, I added a set -e so that the script would exit upon
error.
Thanks to Sander Bos for taking the time to carefully inspect the
Pulp codebase and for writing a wonderfully detailed report
describing the issue and the fix for it.
Credit also goes to Jeremy Cline (Red Hat) for independently
reporting this issue.
https://pulp.plan.io/issues/1830
fixes #1830

History

#1 Updated by rbarlow over 3 years ago

  • Subject changed from reserved to CVE-2016-3107: Node certificate containing private key stored in world-readable file
  • Description updated (diff)
  • Status changed from NEW to POST
  • Assignee set to rbarlow
  • Private changed from Yes to No
  • Triaged changed from No to Yes

#2 Updated by rbarlow over 3 years ago

  • Description updated (diff)

#4 Updated by semyers over 3 years ago

  • Platform Release set to 2.8.3

#7 Updated by rbarlow over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#8 Updated by semyers over 3 years ago

  • Status changed from MODIFIED to ON_QA

#9 Updated by semyers over 3 years ago

  • Status changed from ON_QA to CLOSED - CURRENTRELEASE

#10 Updated by bmbouter 7 months ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF