Security: Potential exposure of CA key under puppetserver
41 views
Skip to first unread message
Eric Sorenson
Sep 30, 2015, 12:47:57 AM9/30/15
to puppet...@googlegroups.com
We've identified and are fixing a condition in puppet where the auto-generated
CA private key is created with too-leinent permissions. We feel the exposure is
pretty limited (it would require a local user account on the CA system, to
discover and copy/modify the CA key before additional puppet commands run) but
will be releasing patched versions which do not have the problem. I wanted to
post this publicly so users could evaluate their own site and remediate if
necessary, in advance of an upstream software release.
You could be affected if:
- you used puppet server or puppet master to automatically generate a CA
keypair and certificate and have NEVER restarted the process
- you never subsequently ran a puppet agent, cert, or other subcommands
which use the certificate subsystem, on the host with the CA keypair.
You will not be affected if:
- you run Puppet Enterprise to initialize your CA
- you have ever run 'puppet agent' or other 'puppet cert' commands as root on the host with the keypair.
- you have ever restarted your puppet master/puppet server process. Ever. Really.
The immediate fix is to either:
- run `puppet agent` as root on the server which has the CA key
- as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem`
A huge thank you/merci to Francois Lafont for reporting this issue.
For more details, see https://tickets.puppetlabs.com/browse/PUP-5274
Eric Sorenson - eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles
CA private key is created with too-leinent permissions. We feel the exposure is
pretty limited (it would require a local user account on the CA system, to
discover and copy/modify the CA key before additional puppet commands run) but
will be releasing patched versions which do not have the problem. I wanted to
post this publicly so users could evaluate their own site and remediate if
necessary, in advance of an upstream software release.
You could be affected if:
- you used puppet server or puppet master to automatically generate a CA
keypair and certificate and have NEVER restarted the process
- you never subsequently ran a puppet agent, cert, or other subcommands
which use the certificate subsystem, on the host with the CA keypair.
You will not be affected if:
- you run Puppet Enterprise to initialize your CA
- you have ever run 'puppet agent' or other 'puppet cert' commands as root on the host with the keypair.
- you have ever restarted your puppet master/puppet server process. Ever. Really.
The immediate fix is to either:
- run `puppet agent` as root on the server which has the CA key
- as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem`
A huge thank you/merci to Francois Lafont for reporting this issue.
For more details, see https://tickets.puppetlabs.com/browse/PUP-5274
Eric Sorenson - eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles
Trevor Vaughan
Sep 30, 2015, 9:34:24 AM9/30/15
to puppet...@googlegroups.com
Hi Eric,
Will a CVE be issued for this?--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
Michael Stahnke
Sep 30, 2015, 12:23:27 PM9/30/15
to puppet...@googlegroups.com
On Wed, Sep 30, 2015 at 6:34 AM, Trevor Vaughan <tvau...@onyxpoint.com> wrote:
Hi Eric,Will a CVE be issued for this?
Yes
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoXoQcfPx_K1dtX55zjTSmNJci97aQCWmkiqZXWVBr%2BL8A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Eric Sorenson
Sep 30, 2015, 7:32:00 PM9/30/15
to Puppet Users
A couple of updates:
- Yes, a CVE will be issued.
- The remediation steps below are a little wonky, and my subject line is inaccurate. The same exposure happens for CA keys generated by running a webrick 'puppet master', or passenger-based packages, or by puppet server. By far the simplest thing is to make sure your privatekeydir ($ssldir/private_keys) and CA private keys ($ssldir/ca/ca_key.pem) are "chmod o-rwx" rather than running the 'puppet cert' or 'agent' commands as I said below.
- In addition to the CA key being exposed, if you used puppetserver to generate your _host_ key on the CA, that key and the 'privatekeydir' directory will have too-lenient permissions.
--eric0
Reply all
Reply to author
Forward
0 new messages