Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1033367: kea-ctrl-agent: Unrestricted default RESTful interface on 127.0.0.1:8000
118 views
Skip to first unread message
Paride Legovini
Mar 23, 2023, 2:10:06 PM3/23/23
to
Package: kea-ctrl-agent
Version: 2.2.0-5
Severity: normal
Tags: security
X-Debbugs-Cc: andreas....@canonical.com, par...@debian.org, Debian Security Team <te...@security.debian.org>
Forwarded from: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2007312
Originally reported by: Andreas Hasenack <andreas....@canonical.com>
WIP fix: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
Follows copypaste of the original bug as reported by Andreas.
---
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration
Version: 2.2.0-5
Severity: normal
Tags: security
X-Debbugs-Cc: andreas....@canonical.com, par...@debian.org, Debian Security Team <te...@security.debian.org>
Forwarded from: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2007312
Originally reported by: Andreas Hasenack <andreas....@canonical.com>
WIP fix: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
Follows copypaste of the original bug as reported by Andreas.
---
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration
0 new messages