New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2015-8559: knife bootstrap leaks validator.pem private key into system logs #3871
Comments
|
I can't recall but I suspect this is also a problem with the validatorless bootstrapping as well, which copies client.pem up to the node instead validation.pem. It would be very good not to tactically patch this but to pull more of dan's boostrapper code into knife bootstrap. The big shell command is shitty for so many other reasons as well... |
|
|
|
Its being worked on internally, no ETA right now. Since we need to support unix and windows bootstraps, we need a transport abstraction over at least winrm and ssh. That already exists in several places (test-kitchen/chef-provisioning) but needs to get extracted out into its own library. Then mixlib-install and that "mixlib-transport" need to be glued together in knife bootstrap (then those mixlibs need to be patched into test-kichen/chef-provisioning in order to DRY up the code across all the projects). So, its highish priority, but we're trying to engineer it right. |
|
Possible quick band-aid solution: Instead of ssh node 'sudo sh -c 'shell script with here-docs' use echo 'shell script with here-docs' | ssh node "sudo sh" This allows the shell on the remote system to read and execute commands from stdin, without having everything on the command-line. This also has the benefit of only using a single ssh connection (compared to the possibility of creating the script as a file and scp(1)'ing the file to the remote side for execution). Either way, please do note that this issue does not only affect the validator key, but other materials as well (for example, the 'encrypted_data_bag_secret'). Also note the race condition noted in #3872. |
|
Yeah we've noted all the other issues with it, that's a large part of why we want to not do any quick fixes, its already a large enough collection of band-aids. |
|
FYI: MITRE has assigned CVE-2015-8559 for this issue. |
|
Is there any progress on this? |
|
Any update? |
|
The big portion of this that was ending up in system logs was fixed in Chef 15 by replacing the internal mechanisms for running commands with the train transport library. Rather than running one large heredoc, train allows us to copy a file over and run it. The work was done in #8253 and #8419 primarily. There's still an issue with the |
|
Fixed in #8885 I think we can close it? |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
When you 'knife bootstrap' a node, the validator.pem private RSA key is leaked into the system logs /var/log/messages.
The reason is that 'knife bootstrap' constructs a shell command to run on the node from a template, filling the private key in as a here-doc (see
chef/lib/chef/knife/bootstrap/templates/chef-full.erb
Line 193 in 81419cc
ssh node 'sudo sh -c full-command-goes-here'
As a result, the private key ends up on the command-line, in the process table, and, by way of sudo command logging on most reasonable systems, in the system logs. The logs may also be forwarded to other places (possibly in clear text), and possible stored on other systems, making the private validator key not quite so private any more.
The text was updated successfully, but these errors were encountered: