Cobbler restrict Kickstart Directory (Security Issue) #939

Closed
dolevf opened this Issue May 8, 2014 · 17 comments

Comments

Projects
None yet
4 participants
@dolevf

dolevf commented May 8, 2014

hi,

As discussed in mailing lists, it makes sense restricting access to the kickstart directory in cobbler, so local file inclusions other than kickstart files are prohibited.

by specifiying 'Kickstart' value to /etc/passwd or any other crucial system file, local files are exposed by the cobbler web_ui and is a security vulnerability.

this issue has been opened here after discussion with Jorgen Maas.

Thanks,

Dolev Farhi, F5 Networks Inc

@jmaas jmaas added the security label May 10, 2014

@jmaas jmaas added this to the 2.8.0 milestone May 10, 2014

@jmaas jmaas self-assigned this May 10, 2014

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas May 23, 2014

Member

Fixed in master, will be in 2.8 release

Member

jmaas commented May 23, 2014

Fixed in master, will be in 2.8 release

@jmaas jmaas closed this May 23, 2014

@dolevf

This comment has been minimized.

Show comment
Hide comment
@dolevf

dolevf May 24, 2014

Awesome!

Dolev Farhi
On May 23, 2014 11:54 PM, "Jörgen Maas" notifications@github.com wrote:

Fixed in master, will be in 2.8 release


Reply to this email directly or view it on GitHubhttps://github.com/cobbler/cobbler/issues/939#issuecomment-44059229
.

dolevf commented May 24, 2014

Awesome!

Dolev Farhi
On May 23, 2014 11:54 PM, "Jörgen Maas" notifications@github.com wrote:

Fixed in master, will be in 2.8 release


Reply to this email directly or view it on GitHubhttps://github.com/cobbler/cobbler/issues/939#issuecomment-44059229
.

@opoplawski

This comment has been minimized.

Show comment
Hide comment
@opoplawski

opoplawski Jul 17, 2014

Contributor

We have CVE-2014-3225 bugs filed against the cobbler packages in Fedora/EPEL:

https://bugzilla.redhat.com/show_bug.cgi?id=1095846
https://bugzilla.redhat.com/show_bug.cgi?id=1095845

any chance this could be back-ported to at least 2.6?

Contributor

opoplawski commented Jul 17, 2014

We have CVE-2014-3225 bugs filed against the cobbler packages in Fedora/EPEL:

https://bugzilla.redhat.com/show_bug.cgi?id=1095846
https://bugzilla.redhat.com/show_bug.cgi?id=1095845

any chance this could be back-ported to at least 2.6?

@jmaas jmaas reopened this Jul 17, 2014

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 17, 2014

Member

Yes, and in my book this warrants new releases in 2.4 and 2.6.
I will get the patches in tomorrow and do the releases.

Member

jmaas commented Jul 17, 2014

Yes, and in my book this warrants new releases in 2.4 and 2.6.
I will get the patches in tomorrow and do the releases.

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 17, 2014

Member

@opoplawski are you also maintaining cobbler for EPEL5 ???

Member

jmaas commented Jul 17, 2014

@opoplawski are you also maintaining cobbler for EPEL5 ???

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 17, 2014

Member

note to self: one of the patches from alanoe broke cobbler-web for snippets/kickstart edits
fix for that is somewhere in master.

Member

jmaas commented Jul 17, 2014

note to self: one of the patches from alanoe broke cobbler-web for snippets/kickstart edits
fix for that is somewhere in master.

@jmaas jmaas added the priority label Jul 17, 2014

jmaas added a commit that referenced this issue Jul 17, 2014

Merge pull request #1070 from jmaas/release24
Fixes for #939 and CVE-2014-3225

jmaas added a commit that referenced this issue Jul 17, 2014

Merge pull request #1071 from jmaas/release26
Fixes for #939 and CVE-2014-3225
@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 17, 2014

Member

Merged into 2.4 and 2.6, will release tomorrow.

Member

jmaas commented Jul 17, 2014

Merged into 2.4 and 2.6, will release tomorrow.

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 18, 2014

Member

2.4.6 and 2.6.3 have been released.

Member

jmaas commented Jul 18, 2014

2.4.6 and 2.6.3 have been released.

@jmaas jmaas closed this Jul 18, 2014

@opoplawski

This comment has been minimized.

Show comment
Hide comment
@opoplawski

opoplawski Jul 18, 2014

Contributor

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL releases.

Contributor

opoplawski commented Jul 18, 2014

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL releases.

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 19, 2014

Member

So, Jimi granted you all rights on the cobbler packages ??

On Sat, Jul 19, 2014 at 12:52 AM, Orion Poplawski notifications@github.com
wrote:

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL
releases.


Reply to this email directly or view it on GitHub
#939 (comment).

Grtz,
Jörgen Maas

Member

jmaas commented Jul 19, 2014

So, Jimi granted you all rights on the cobbler packages ??

On Sat, Jul 19, 2014 at 12:52 AM, Orion Poplawski notifications@github.com
wrote:

I appear to be the cobbler maintainer for all Fedora and Fedora EPEL
releases.


Reply to this email directly or view it on GitHub
#939 (comment).

Grtz,
Jörgen Maas

@opoplawski

This comment has been minimized.

Show comment
Hide comment
@opoplawski

opoplawski Jul 21, 2014

Contributor

On 07/18/2014 11:12 PM, Jörgen Maas wrote:

So, Jimi granted you all rights on the cobbler packages ??

No, I've been using my provenpackager powers to maintain it.

Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com

Contributor

opoplawski commented Jul 21, 2014

On 07/18/2014 11:12 PM, Jörgen Maas wrote:

So, Jimi granted you all rights on the cobbler packages ??

No, I've been using my provenpackager powers to maintain it.

Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com

@dolevf

This comment has been minimized.

Show comment
Hide comment
@dolevf

dolevf Jul 28, 2014

Hi all
the problem is still reproducible in version 2.6.3..

dolevf commented Jul 28, 2014

Hi all
the problem is still reproducible in version 2.6.3..

@jmaas jmaas reopened this Jul 28, 2014

jmaas added a commit that referenced this issue Jul 29, 2014

Merge pull request #1109 from jmaas/release24
Add strict kickstart check in the API, again should fix #939.

jmaas added a commit that referenced this issue Jul 29, 2014

Merge pull request #1110 from jmaas/release26
Add strict kickstart check in the API, again should fix #939.

@jmaas jmaas closed this in 3881394 Jul 29, 2014

jmaas added a commit that referenced this issue Jul 29, 2014

Merge pull request #1111 from jmaas/master
Add strict kickstart check in the API, again should fix #939.

@jmaas jmaas reopened this Jul 29, 2014

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 29, 2014

Member
[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/var/lib/cobbler/kickstarts/default.ks
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/etc/shadow
exception on server: 'Invalid kickstart template file location /etc/shadow, it is not inside /var/lib/cobbler/kickstarts/'
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# 
Member

jmaas commented Jul 29, 2014

[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/var/lib/cobbler/kickstarts/default.ks
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# cobbler system edit --name=test3 --kickstart=/etc/shadow
exception on server: 'Invalid kickstart template file location /etc/shadow, it is not inside /var/lib/cobbler/kickstarts/'
[root@cobbler cobbler]# cobbler system report --name=test3 | grep ^Kickstart
Kickstart                      : /var/lib/cobbler/kickstarts/default.ks
Kickstart Metadata             : {}
[root@cobbler cobbler]# 
@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 29, 2014

Member

Again, backported to 2.4 and 2.6 branches.

Member

jmaas commented Jul 29, 2014

Again, backported to 2.4 and 2.6 branches.

@jmaas

This comment has been minimized.

Show comment
Hide comment
@jmaas

jmaas Jul 29, 2014

Member

Will do another release soonish. If you could please test the code?

Member

jmaas commented Jul 29, 2014

Will do another release soonish. If you could please test the code?

@jmaas jmaas closed this Jul 29, 2014

@dolevf

This comment has been minimized.

Show comment
Hide comment

dolevf commented Jul 29, 2014

will do

@timcoote

This comment has been minimized.

Show comment
Hide comment
@timcoote

timcoote Apr 28, 2015

The solution described here is just making it into the redhat world, so I'm only just encountering it. Can you point me at the original discussions as I cannot understand the vulnerability, not the threats from the descriptions in the issue thread.

At the same time, the solution appears to introduce an unnecessary privilege escalation, which is a security issue in itself - the kickstart files must now sit in root managed filespace of the cobbler host, leading to wider than necessary write access to those files.

The solution described here is just making it into the redhat world, so I'm only just encountering it. Can you point me at the original discussions as I cannot understand the vulnerability, not the threats from the descriptions in the issue thread.

At the same time, the solution appears to introduce an unnecessary privilege escalation, which is a security issue in itself - the kickstart files must now sit in root managed filespace of the cobbler host, leading to wider than necessary write access to those files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment