Skip to content

Use of Hard-coded Cryptographic Key in rundeck/rundeck, rundeckpro/enterprise

Critical
fdevans published GHSA-qxjx-xr2m-hgqx May 11, 2022

Package

docker rundeck/rundeck, rundeckpro/enterprise (docker)

Affected versions

<4.1

Patched versions

None

Description

Impact

Rundeck Community and Rundeck Enterprise Docker images contained a pre-generated SSH key pair. If the id_rsa.pub public key of the key pair was copied to authorized_keys files on remote hosts, those hosts would allow access to anyone with the exposed private key.

This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host.

Patches

Rundeck 4.1.0 has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

  • Do not use any pre-existing public key file from the Rundeck Docker images. Always generate a new SSH key and select ‘yes’ if prompted to overwrite.
  • If the public key file included in the Docker image may have been used to configure node access, search the authorized_keys files for any of the keys listed below.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Public Keys

IDs

rundeck@435cc7c0ec97
rundeck@a9408cab34cf
rundeck@d39a9897de35
rundeck@553322682a1d
rundeck@7ff0495cadf8
rundeck@0a88c2cee02f
rundeck@6ce6a554d02b
rundeck@buildkitsandbox

Full List

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9Vvytjg2zM7qJKCITFSqTx4IXmo+jamSFas9disxhluG59MqE0EUpYoKeFBmbNtvjkhsV4GaKWuE1vFJTei6DKcKf8Nj9u9Up6B9lktUZdqJcldYJ6mwVOqGD5a+TLZ+noMy38ud6wXJPlZ9R/GYaOMe76MiEFANykjJcG7kLehgx3JSEW1+o80wV+lXKFM2pkc/dMLWXIwvavqNQZ58untU/X20d89415PwPQl+dIEsRVlbMpfubGGH/p/TwkKHwZBBsrdt9Xgqb7fjGZmMIYvdHRMxyuZHTUhADWMhrqkkefDHssTJJ4e/FnbhWAs7avP2SJ+z3UezCkxyO2iqT rundeck@435cc7c0ec97
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqSAVtpsWY9QMGPXMY84rlkiyqLp1br36SnSikU/hfS447J4H6opA31LjGcHOIMojvcUFsR+QFqODvVsTnFQoDtSXRi2EKFWZuIpuGZByym6hNIEE7Ol+ptLiv+LGF/ZAc9bdeETjSdjJcbhoDo2ip7upX2/L2tYXdRNjlu4UJS7PADvdI+ggsIPIY+lp3peQ7NAB8r1nVXKaQcoashFRVhooDVLLMz7yvx3lBqenWGa3ZMQ8WyVCqIwuQNAkmCZU5HbwUGnkg78C40mjoldT3GyP1mNWN7IijxUlQcqnZrAybtNoCabJd47BzFa0PC7n5P/OTrWdi+G2DHM5nBLSj rundeck@a9408cab34cf
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw28Z4V+jXiDRgRpPeNEi+RyoDltXUVetcSDWVQrHLVOnq4Fxmosq1r1az/eZx0Z4uRfxDFFRjfL0mI8NLPvRebDt6DAfwCgJYZDhxyQdNJByix0/hX6DA/iL2cXPJUQvyF1vegNZd2irBbwQiep/DIxz77uZT/pzPY+/1M5omGkFWt/YyXW/LJExtn7BtqgYcccLibv9A8a3zC8h6OOkqhlieBKeU5bkLcD/YMP5q+GXmhlMiCZUFOq92gk/SeueqOaAOmjSW4rHxR1WFN9WTJHrkc6g4i5N+q2uFb0/me7+1Hkty1oK54+CMZ7k/oGjpjONDAH3lGsTUYGy+k/3P rundeck@d39a9897de35
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDATDA01TrPie2iL2F/HMjDRlIkofIJcRVYXsCBOvkiBQagCMBmpsdHpDGwDXDocphM3lNBxXaucAuYWKoO9ZeAdQMNo4+BQHtSrjA5D547BknN5S7XQCG8C8rKw88Y+71Q3DeIXDDR1SvKYgBz6BHHjxfjKYf+1wDcTBdEJ4RBoiJ+nhIZOSqt2hEXdKqEjBRrELrr8xZfjZ+epquAQ0UwVUzzdOJ86mxkzbqJbK8wKVDgxaQi6feIyazlYsKr90vKQVqQ4UOGyrVGGEZx509mGSTdtVjZ4VOCrRg8fzeHP9SXYXARQATnH6cMVEtOoPIrsivMO87c8D85tcMLJPlF rundeck@553322682a1d
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZvpSpmukKKvi/fwRHsqksAEaNfz3SkYR6q5T1SisoWH00S/ukQ3Imo6zjFpPmF8IIApME/5sov3y1vJNdm44ket5wOjawjerQzcNy8Csm0gRgtey1kDOtI/FdhLq+pcjGewz1nfLj9cair/zaaH3mRmmUl/rrgqpFDnrvxxI16Hi1HmOVvgCd57UG7uIBCjKIO7k8AjZU8E3N5X52gIq7Fv+srvhLnP/D2MPLfn8D7j2QY23idgSY2fODgpFoF/dK4+HrOXBmx8nGOcgqMl5hb4X7XX/JWk8+h9nAE9q6m1ndOnYYMhqHP7omhmgaSx4g0cm3qOIyXtti3bOj9s2r rundeck@7ff0495cadf8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf/tHMlrlpHUyYA7nUz+GIZeaxjwa/L485jr32wDg7OMNr+EEmYrLQXOtLN4PSHd4fJXHX1W5NpImJYEcmmwDD4TekST9fLZ7/qKKqhvihj1uYNIQxmLKLtwzdLCIGCBYUtCMKa/59MKx+xkX+4899DZKWSxdJU12ZksQ8q2tRynrzYU7bSk6LGkGDTSTlPgdjhib78mQTccgGj4Ld1ERZsFtrKsSpG6a1/utDS6chjP9+hvsapcMjNJ3rH+sRjfrpE6pL8sFxseR5iMMLzlI0Mu5zvYuqpuXY2O9HFdCRJoEqV0e+CT/fYzxJR1wv3PWaMvcG3xwWstU2V8uWETRv rundeck@0a88c2cee02f
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiX3h/kCWAInCyup8P8Bw2982L/eE30Pz1Jrd/7K5Tt1BQxQZiGbu7H0/r0yXdaI5cHEfU5zpDtx1LbjXh/iM5A06uQQ92se9MX6Gf3oSGkXvN5es4Sz0B5Cs4NjDd+hWNVYpE4H/88Qs6I922hZsraXoRO1CDVcuLvp/SF+n2tt1RqAoPBy1kWrDbeoVbaiV/0Uayzs/FmMbP6bX7nYutFzi/l7Bwmjv2/mdlqv3Uxqj0Wc3VvCtjg2inlQXqOT/A247Xxzaw/XJcP4mX/qHQZ+PgMJtFqYI5QNka40ux03XGKNrqyjfeR0rRS+P7ipMBn0/dNCytZox0Unk2Cjc/ rundeck@6ce6a554d02b
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuSFUAy3CUa+UoKJG5bZQBrxr/FEantBVeuAhb+FyDlenKKojRDRAGZugtW/jOh5E0f+37DPGbyncschLe42lf8gL1eUULRg2YkpuZXsTX7cWpVZH4c4i5vE3IoYi1tzGTF47XckUnNMZ+o6QYfJfAmTQGiqKDdf5HfE3kgvuVmASOfY1LQRmBYGNjskAx1E/JButYzrISvWuYdFbAxTZ/oLz4GATcJvPD00i9yyxrUXxsz7TWurzDEQpGZ480qcFMdV09Mu9htz4OVcjDcM+kWaXoert7l6pVvaJIIuUkwCwlweR1k/G4s0wGLt3mhDLTyDvJ1tchawynJZNqfw2mL1tdvGwrQQ5yGxVswHftwHNqRar8TSltqHHL41EXYtVfip2YMByhqdGhbVKpbkf85E9zJR25/EXUZFY2+G/KZyVTdS3ajbM1Pr9hlRbAJFkBGkQBNYHvxs/RDlgX4H9WpLufD8EOZCDrFbfw2spEQgqBZ7do5L4vGQRGjuP388k= rundeck@buildkitsandbox

Credit

Thank you to Paul Calabro (@paulcalabro) for reporting this.

Severity

Critical

CVE ID

CVE-2022-29186

Weaknesses

Credits