exploit the possibilities

Ganeti Insecure Archive Permission

Ganeti Insecure Archive Permission
Posted Aug 13, 2014
Authored by Open Source CERT, Guido Trotter, Helga Velroyen

Ganeti versions 2.10.0 through 2.10.6 and 2.11.0 through 2.11.4 suffer from an insecure file permission vulnerability that leads to sensitive information disclosure.

tags | advisory, info disclosure
MD5 | ee9d1bce9cd141e0b60cd6046fc494c6

Ganeti Insecure Archive Permission

Change Mirror Download

#2014-006 Ganeti insecure archive permission

Description:

Ganeti, an open source virtualisation manager, suffers from an insecure file
permission vulnerability that leads to sensitive information disclosure.

The Ganeti upgrade command 'gnt-cluster upgrade' creates an archive of the
current configuration of the cluster (e.g. the contents of
'/var/lib/ganeti'). The archive is named following the pattern ganet*.tar
and is written to '/var/lib/'. Such archives are written with too lax
permissions that make it possible to access them as unprivileged user.

The configuration archive contains sensitive information, including SSL keys
for the inter-node RPC communication as well as the credentials for the
remote API (RAPI). Such information can be used to control various operations
of the cluster, including shutting down and removing instances and nodes from
the cluster, or assuming the identity of the cluster in a MITM attack.

This vulnerability only affects Ganeti clusters meeting the following
criterias:

* The cluster is running Ganeti version 2.10.0 or higher.
* The upgrade command was run, for example when upgrading from 2.10 to
2.11.
* Unprivileged users have access to the host machines and in particular
to the cluster master.

In the fixed releases the upgrade command sets the permissions of the
archives properly. However, in case previous versions have created an unsafe
archive already, the following mitigations are advised:

* Remove the access to the archive for unprivileged users (for example
by running 'chmod 400 /var/lib/ganeti*.tar').
* Renew the SSL keys by running 'gnt-cluster renew-crypto'. You may need
to pass the --new-cluster-certificate, --new-confd-hmac-key,
--new-rapi-certificate, --new-spice-certificate and
--new-cluster-domain-secret flags.
* Renew the RAPI credentials by editing the '/var/lib/ganeti/rapi_users'
file. Note that this will need to be updated in any out-of-the-cluster
RAPI client.
* Look for any other information regarded as secret in '/var/lib/ganeti'
and change it. For example VNC and SPICE passwords are not by default
kept there, but could, if Ganeti is so configured.

Affected version:

Ganeti >= 2.10.0, <= 2.10.6

Ganeti >= 2.11.0, <= 2.11.4

Fixed version:

Ganeti >= 2.10.7

Ganeti >= 2.11.5

Credit: vulnerability report, PoC received from Ganeti authors Helga Velroyen
<helgav AT google.com> and Guido Trotter <ultrotter AT google.com>,
patch created by Apollon Oikonomopoulos.

CVE: N/A

Timeline:

2014-08-07: vulnerability report received
2014-08-07: disclosure coordinated on 2014-08-12
2014-08-08: contacted affected vendors
2014-08-12: advisory release

References:
http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0

Permalink:
http://www.ocert.org/advisories/ocert-2014-006.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close