Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider referencing GCP metadata service by IP in Ignition/Afterburn #891

Closed
bgilbert opened this issue Jul 7, 2021 · 5 comments
Closed

Consider referencing GCP metadata service by IP in Ignition/Afterburn #891

bgilbert opened this issue Jul 7, 2021 · 5 comments
Labels
kind/enhancement platform/gcp

Comments

@bgilbert
Copy link
Contributor

bgilbert commented Jul 7, 2021
edited by lucab

On GCP, both Ignition and Afterburn access the GCE metadata service via the hostname metadata.google.internal without any further authentication of the service, as instructed by official documentation.
An attack that rebinds that hostname can inject arbitrary code (Ignition) or SSH keys (Afterburn). There have been multiple exploits that involve poisoning that hostname via forged DHCP replies and a vulnerable DHCP hook called google_set_hostname. We don't ship that script, but since DNS poisoning in this case leads to trivial instance takeover, we should perhaps consider mitigations.

metadata.google.internal resolves to 169.254.169.254. One option is to just hardcode that IP. It's not clear that Google has documented the address as stable, but it'd probably be hard to change it at this point. Other clouds use the same address.

In the case of Ignition, another potential option is to query the metadata service before a globally routable address has been configured. However, that would require structural changes to Ignition, since merged configs are fetched in the same Ignition stage as the main config. It also wouldn't help Afterburn.

xref #885
@bgilbert bgilbert mentioned this issue Jul 7, 2021
Closed
@lucab
Copy link
Contributor

lucab commented Jul 7, 2021
edited

Looking a bit more into GCP related material, the explicit 169.254.169.254 address is already referenced in a few places:

Specifically, a comment in the Go library says this IP address is documented as being stable anyway.

@jlebon jlebon added the meeting topics for meetings label Jul 7, 2021
@jlebon
Copy link
Member

jlebon commented Jul 7, 2021
edited

We discussed this in the meeting today:

12:51:03 < bgilbert> #agreed we will switch Ignition and Afterburn to contact the GCP metadata
                     service by IP instead of hostname, unless we receive significant information
                     to the contrary by next week

@jlebon jlebon removed the meeting topics for meetings label Jul 7, 2021
This was referenced Jul 8, 2021
Merged
Merged
@bgilbert
Copy link
Contributor Author

bgilbert commented Jul 8, 2021

PRs in coreos/ignition#1247 and coreos/afterburn#595.

@bgilbert bgilbert added the status/pending-upstream-release Fixed upstream. Waiting on an upstream component source code release. label Jul 14, 2021
@bgilbert
Copy link
Contributor Author

Both PRs have merged upstream. Closing this out.

@dustymabe
Copy link
Member

Those changes landed in Ignition 2.12.0 and Afterburn 5.1.0. Those versions are in the current latest stable.

The fix for this went into stable stream release 35.20211029.3.0.

@dustymabe dustymabe removed the status/pending-upstream-release Fixed upstream. Waiting on an upstream component source code release. label Nov 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement platform/gcp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lucab @bgilbert @dustymabe @jlebon @travier