Impact
Rundeck Community and Rundeck Enterprise Docker images contained a pre-generated SSH key pair. If the id_rsa.pub
public key of the key pair was copied to authorized_keys files on remote hosts, those hosts would allow access to anyone with the exposed private key.
This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub
file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host.
Patches
Rundeck 4.1.0 has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Do not use any pre-existing public key file from the Rundeck Docker images. Always generate a new SSH key and select ‘yes’ if prompted to overwrite.
- If the public key file included in the Docker image may have been used to configure node access, search the
authorized_keys
files for any of the keys listed below.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Public Keys
IDs
rundeck@435cc7c0ec97
rundeck@a9408cab34cf
rundeck@d39a9897de35
rundeck@553322682a1d
rundeck@7ff0495cadf8
rundeck@0a88c2cee02f
rundeck@6ce6a554d02b
rundeck@buildkitsandbox
Full List
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9Vvytjg2zM7qJKCITFSqTx4IXmo+jamSFas9disxhluG59MqE0EUpYoKeFBmbNtvjkhsV4GaKWuE1vFJTei6DKcKf8Nj9u9Up6B9lktUZdqJcldYJ6mwVOqGD5a+TLZ+noMy38ud6wXJPlZ9R/GYaOMe76MiEFANykjJcG7kLehgx3JSEW1+o80wV+lXKFM2pkc/dMLWXIwvavqNQZ58untU/X20d89415PwPQl+dIEsRVlbMpfubGGH/p/TwkKHwZBBsrdt9Xgqb7fjGZmMIYvdHRMxyuZHTUhADWMhrqkkefDHssTJJ4e/FnbhWAs7avP2SJ+z3UezCkxyO2iqT rundeck@435cc7c0ec97
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqSAVtpsWY9QMGPXMY84rlkiyqLp1br36SnSikU/hfS447J4H6opA31LjGcHOIMojvcUFsR+QFqODvVsTnFQoDtSXRi2EKFWZuIpuGZByym6hNIEE7Ol+ptLiv+LGF/ZAc9bdeETjSdjJcbhoDo2ip7upX2/L2tYXdRNjlu4UJS7PADvdI+ggsIPIY+lp3peQ7NAB8r1nVXKaQcoashFRVhooDVLLMz7yvx3lBqenWGa3ZMQ8WyVCqIwuQNAkmCZU5HbwUGnkg78C40mjoldT3GyP1mNWN7IijxUlQcqnZrAybtNoCabJd47BzFa0PC7n5P/OTrWdi+G2DHM5nBLSj rundeck@a9408cab34cf
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw28Z4V+jXiDRgRpPeNEi+RyoDltXUVetcSDWVQrHLVOnq4Fxmosq1r1az/eZx0Z4uRfxDFFRjfL0mI8NLPvRebDt6DAfwCgJYZDhxyQdNJByix0/hX6DA/iL2cXPJUQvyF1vegNZd2irBbwQiep/DIxz77uZT/pzPY+/1M5omGkFWt/YyXW/LJExtn7BtqgYcccLibv9A8a3zC8h6OOkqhlieBKeU5bkLcD/YMP5q+GXmhlMiCZUFOq92gk/SeueqOaAOmjSW4rHxR1WFN9WTJHrkc6g4i5N+q2uFb0/me7+1Hkty1oK54+CMZ7k/oGjpjONDAH3lGsTUYGy+k/3P rundeck@d39a9897de35
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDATDA01TrPie2iL2F/HMjDRlIkofIJcRVYXsCBOvkiBQagCMBmpsdHpDGwDXDocphM3lNBxXaucAuYWKoO9ZeAdQMNo4+BQHtSrjA5D547BknN5S7XQCG8C8rKw88Y+71Q3DeIXDDR1SvKYgBz6BHHjxfjKYf+1wDcTBdEJ4RBoiJ+nhIZOSqt2hEXdKqEjBRrELrr8xZfjZ+epquAQ0UwVUzzdOJ86mxkzbqJbK8wKVDgxaQi6feIyazlYsKr90vKQVqQ4UOGyrVGGEZx509mGSTdtVjZ4VOCrRg8fzeHP9SXYXARQATnH6cMVEtOoPIrsivMO87c8D85tcMLJPlF rundeck@553322682a1d
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZvpSpmukKKvi/fwRHsqksAEaNfz3SkYR6q5T1SisoWH00S/ukQ3Imo6zjFpPmF8IIApME/5sov3y1vJNdm44ket5wOjawjerQzcNy8Csm0gRgtey1kDOtI/FdhLq+pcjGewz1nfLj9cair/zaaH3mRmmUl/rrgqpFDnrvxxI16Hi1HmOVvgCd57UG7uIBCjKIO7k8AjZU8E3N5X52gIq7Fv+srvhLnP/D2MPLfn8D7j2QY23idgSY2fODgpFoF/dK4+HrOXBmx8nGOcgqMl5hb4X7XX/JWk8+h9nAE9q6m1ndOnYYMhqHP7omhmgaSx4g0cm3qOIyXtti3bOj9s2r rundeck@7ff0495cadf8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf/tHMlrlpHUyYA7nUz+GIZeaxjwa/L485jr32wDg7OMNr+EEmYrLQXOtLN4PSHd4fJXHX1W5NpImJYEcmmwDD4TekST9fLZ7/qKKqhvihj1uYNIQxmLKLtwzdLCIGCBYUtCMKa/59MKx+xkX+4899DZKWSxdJU12ZksQ8q2tRynrzYU7bSk6LGkGDTSTlPgdjhib78mQTccgGj4Ld1ERZsFtrKsSpG6a1/utDS6chjP9+hvsapcMjNJ3rH+sRjfrpE6pL8sFxseR5iMMLzlI0Mu5zvYuqpuXY2O9HFdCRJoEqV0e+CT/fYzxJR1wv3PWaMvcG3xwWstU2V8uWETRv rundeck@0a88c2cee02f
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiX3h/kCWAInCyup8P8Bw2982L/eE30Pz1Jrd/7K5Tt1BQxQZiGbu7H0/r0yXdaI5cHEfU5zpDtx1LbjXh/iM5A06uQQ92se9MX6Gf3oSGkXvN5es4Sz0B5Cs4NjDd+hWNVYpE4H/88Qs6I922hZsraXoRO1CDVcuLvp/SF+n2tt1RqAoPBy1kWrDbeoVbaiV/0Uayzs/FmMbP6bX7nYutFzi/l7Bwmjv2/mdlqv3Uxqj0Wc3VvCtjg2inlQXqOT/A247Xxzaw/XJcP4mX/qHQZ+PgMJtFqYI5QNka40ux03XGKNrqyjfeR0rRS+P7ipMBn0/dNCytZox0Unk2Cjc/ rundeck@6ce6a554d02b
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuSFUAy3CUa+UoKJG5bZQBrxr/FEantBVeuAhb+FyDlenKKojRDRAGZugtW/jOh5E0f+37DPGbyncschLe42lf8gL1eUULRg2YkpuZXsTX7cWpVZH4c4i5vE3IoYi1tzGTF47XckUnNMZ+o6QYfJfAmTQGiqKDdf5HfE3kgvuVmASOfY1LQRmBYGNjskAx1E/JButYzrISvWuYdFbAxTZ/oLz4GATcJvPD00i9yyxrUXxsz7TWurzDEQpGZ480qcFMdV09Mu9htz4OVcjDcM+kWaXoert7l6pVvaJIIuUkwCwlweR1k/G4s0wGLt3mhDLTyDvJ1tchawynJZNqfw2mL1tdvGwrQQ5yGxVswHftwHNqRar8TSltqHHL41EXYtVfip2YMByhqdGhbVKpbkf85E9zJR25/EXUZFY2+G/KZyVTdS3ajbM1Pr9hlRbAJFkBGkQBNYHvxs/RDlgX4H9WpLufD8EOZCDrFbfw2spEQgqBZ7do5L4vGQRGjuP388k= rundeck@buildkitsandbox
Credit
Thank you to Paul Calabro (@paulcalabro) for reporting this.
Impact
Rundeck Community and Rundeck Enterprise Docker images contained a pre-generated SSH key pair. If the
id_rsa.pub
public key of the key pair was copied to authorized_keys files on remote hosts, those hosts would allow access to anyone with the exposed private key.This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the
id_rsa.pub
file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host.Patches
Rundeck 4.1.0 has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
authorized_keys
files for any of the keys listed below.References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Public Keys
IDs
Full List
Credit
Thank you to Paul Calabro (@paulcalabro) for reporting this.