Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
CVE-2021-43799: Set a secure Erlang cookie.
The RabbitMQ docs state ([1]):
RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to
determine whether they are allowed to communicate with each
other. [...] The cookie is just a string of alphanumeric
characters up to 255 characters in size. It is usually stored in a
local file.
...and goes on to state (emphasis ours):
If the file does not exist, Erlang VM will try to create one with
a randomly generated value when the RabbitMQ server starts
up. Using such generated cookie files are **appropriate in
development environments only.**
The auto-generated cookie does not use cryptographic sources of
randomness, and generates 20 characters of `[A-Z]`. Because of a
semi-predictable seed, the entropy of this password is thus less than
the idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits
of entropy, or potentially as low as 20 if the performance of the
server is known.
These sizes are well within the scope of remote brute-force attacks.
On provision, install, and upgrade, replace the default insecure
20-character Erlang cookie with a cryptographically secure
255-character string (the max length allowed).
[1] https://www.rabbitmq.com/clustering.html#erlang-cookie- Loading branch information
Showing
4 changed files
with
61 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| #!/usr/bin/env bash | ||
| # | ||
| # rabbitmq sets an insecure "magic cookie" which is used for auth; | ||
| # reset it to be longer. | ||
| set -eu | ||
|
|
||
| cookiefile=/var/lib/rabbitmq/.erlang.cookie | ||
| # If the RabbitMQ distribution cookie is insecure, reset it | ||
| if [ ! -f "$cookiefile" ] || ! size="$(wc -c "$cookiefile")" || [ "${size%% *}" -le 20 ]; then | ||
| running=0 | ||
| if service rabbitmq-server status >/dev/null; then | ||
| running=1 | ||
| service rabbitmq-server stop | ||
| fi | ||
|
|
||
| echo "Setting a more secure RabbitMQ distribution magic cookie" | ||
| cookie="$(LC_ALL=C tr -dc '[:alnum:]' </dev/urandom | head -c255)" | ||
| [ "${#cookie}" -eq 255 ] # make sure tr wasn’t OOM-killed | ||
| tmpfile="$(mktemp "$cookiefile.XXXXXXXXXX")" | ||
| chown rabbitmq: "$tmpfile" | ||
| printf '%s' "$cookie" >"$tmpfile" | ||
| mv "$tmpfile" "$cookiefile" | ||
|
|
||
| if [ "$running" == "1" ]; then | ||
| service rabbitmq-server start | ||
| fi | ||
| fi |