Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-8559: knife bootstrap leaks validator.pem private key into system logs #3871

Open
jschauma opened this issue Sep 3, 2015 · 7 comments

Comments

Projects
None yet
6 participants
@jschauma
Copy link

commented Sep 3, 2015

When you 'knife bootstrap' a node, the validator.pem private RSA key is leaked into the system logs /var/log/messages.

The reason is that 'knife bootstrap' constructs a shell command to run on the node from a template, filling the private key in as a here-doc (see

). This command is invoked via (more or less):

ssh node 'sudo sh -c full-command-goes-here'

As a result, the private key ends up on the command-line, in the process table, and, by way of sudo command logging on most reasonable systems, in the system logs. The logs may also be forwarded to other places (possibly in clear text), and possible stored on other systems, making the private validator key not quite so private any more.

@lamont-granquist

This comment has been minimized.

Copy link
Contributor

commented Sep 8, 2015

I can't recall but I suspect this is also a problem with the validatorless bootstrapping as well, which copies client.pem up to the node instead validation.pem.

It would be very good not to tactically patch this but to pull more of dan's boostrapper code into knife bootstrap. The big shell command is shitty for so many other reasons as well...

@bdangit

This comment has been minimized.

Copy link

commented Oct 3, 2015

👍 any traction on this?

@lamont-granquist

This comment has been minimized.

Copy link
Contributor

commented Oct 4, 2015

Its being worked on internally, no ETA right now. Since we need to support unix and windows bootstraps, we need a transport abstraction over at least winrm and ssh. That already exists in several places (test-kitchen/chef-provisioning) but needs to get extracted out into its own library. Then mixlib-install and that "mixlib-transport" need to be glued together in knife bootstrap (then those mixlibs need to be patched into test-kichen/chef-provisioning in order to DRY up the code across all the projects). So, its highish priority, but we're trying to engineer it right.

@jschauma

This comment has been minimized.

Copy link
Author

commented Oct 4, 2015

Possible quick band-aid solution:

Instead of

ssh node 'sudo sh -c 'shell script with here-docs'

use

echo 'shell script with here-docs' | ssh node "sudo sh"

This allows the shell on the remote system to read and execute commands from stdin, without having everything on the command-line. This also has the benefit of only using a single ssh connection (compared to the possibility of creating the script as a file and scp(1)'ing the file to the remote side for execution).

Either way, please do note that this issue does not only affect the validator key, but other materials as well (for example, the 'encrypted_data_bag_secret'). Also note the race condition noted in #3872.

@lamont-granquist

This comment has been minimized.

Copy link
Contributor

commented Oct 5, 2015

Yeah we've noted all the other issues with it, that's a large part of why we want to not do any quick fixes, its already a large enough collection of band-aids.

@jschauma

This comment has been minimized.

Copy link
Author

commented Dec 14, 2015

FYI: MITRE has assigned CVE-2015-8559 for this issue.

@jschauma jschauma changed the title knife bootstrap leaks validator.pem private key into system logs CVE-2015-8559: knife bootstrap leaks validator.pem private key into system logs Dec 14, 2015

@Purple90

This comment has been minimized.

Copy link

commented Oct 11, 2018

Is there any progress on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.