Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-8559: knife bootstrap leaks validator.pem private key into system logs #3871

Closed
jschauma opened this issue Sep 3, 2015 · 11 comments
Labels
Priority: Critical Fix immediately Type: Enhancement Adds new functionality.

Comments

@jschauma
Copy link

jschauma commented Sep 3, 2015

When you 'knife bootstrap' a node, the validator.pem private RSA key is leaked into the system logs /var/log/messages.

The reason is that 'knife bootstrap' constructs a shell command to run on the node from a template, filling the private key in as a here-doc (see

). This command is invoked via (more or less):

ssh node 'sudo sh -c full-command-goes-here'

As a result, the private key ends up on the command-line, in the process table, and, by way of sudo command logging on most reasonable systems, in the system logs. The logs may also be forwarded to other places (possibly in clear text), and possible stored on other systems, making the private validator key not quite so private any more.

@lamont-granquist
Copy link
Contributor

I can't recall but I suspect this is also a problem with the validatorless bootstrapping as well, which copies client.pem up to the node instead validation.pem.

It would be very good not to tactically patch this but to pull more of dan's boostrapper code into knife bootstrap. The big shell command is shitty for so many other reasons as well...

@bdangit
Copy link

bdangit commented Oct 3, 2015

👍 any traction on this?

@lamont-granquist
Copy link
Contributor

Its being worked on internally, no ETA right now. Since we need to support unix and windows bootstraps, we need a transport abstraction over at least winrm and ssh. That already exists in several places (test-kitchen/chef-provisioning) but needs to get extracted out into its own library. Then mixlib-install and that "mixlib-transport" need to be glued together in knife bootstrap (then those mixlibs need to be patched into test-kichen/chef-provisioning in order to DRY up the code across all the projects). So, its highish priority, but we're trying to engineer it right.

@lamont-granquist lamont-granquist added this to the Accepted Minor milestone Oct 4, 2015
@jschauma
Copy link
Author

jschauma commented Oct 4, 2015

Possible quick band-aid solution:

Instead of

ssh node 'sudo sh -c 'shell script with here-docs'

use

echo 'shell script with here-docs' | ssh node "sudo sh"

This allows the shell on the remote system to read and execute commands from stdin, without having everything on the command-line. This also has the benefit of only using a single ssh connection (compared to the possibility of creating the script as a file and scp(1)'ing the file to the remote side for execution).

Either way, please do note that this issue does not only affect the validator key, but other materials as well (for example, the 'encrypted_data_bag_secret'). Also note the race condition noted in #3872.

@lamont-granquist
Copy link
Contributor

Yeah we've noted all the other issues with it, that's a large part of why we want to not do any quick fixes, its already a large enough collection of band-aids.

@jschauma
Copy link
Author

FYI: MITRE has assigned CVE-2015-8559 for this issue.

@jschauma jschauma changed the title knife bootstrap leaks validator.pem private key into system logs CVE-2015-8559: knife bootstrap leaks validator.pem private key into system logs Dec 14, 2015
@thommay thommay added Type: Enhancement Adds new functionality. Priority: Critical Fix immediately and removed Enhancement labels Jan 25, 2017
@ghost
Copy link

ghost commented Oct 11, 2018

Is there any progress on this?

@pfsmorigo
Copy link

Any update?

@btm
Copy link
Contributor

btm commented Sep 3, 2019

The big portion of this that was ending up in system logs was fixed in Chef 15 by replacing the internal mechanisms for running commands with the train transport library. Rather than running one large heredoc, train allows us to copy a file over and run it. The work was done in #8253 and #8419 primarily.

There's still an issue with the ps output that should be an easy fix that will tackle soon.

@lamont-granquist lamont-granquist removed this from the Accepted Minor milestone Oct 14, 2019
@kvivek1115
Copy link
Contributor

Fixed in #8885

I think we can close it?

@tas50 tas50 closed this as completed Oct 17, 2019
@lock
Copy link

lock bot commented Oct 31, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Oct 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Priority: Critical Fix immediately Type: Enhancement Adds new functionality.
Projects
None yet
Development

No branches or pull requests

9 participants