#2014-006 Ganeti insecure archive permission Description: Ganeti, an open source virtualisation manager, suffers from an insecure file permission vulnerability that leads to sensitive information disclosure. The Ganeti upgrade command 'gnt-cluster upgrade' creates an archive of the current configuration of the cluster (e.g. the contents of '/var/lib/ganeti'). The archive is named following the pattern ganet*.tar and is written to '/var/lib/'. Such archives are written with too lax permissions that make it possible to access them as unprivileged user. The configuration archive contains sensitive information, including SSL keys for the inter-node RPC communication as well as the credentials for the remote API (RAPI). Such information can be used to control various operations of the cluster, including shutting down and removing instances and nodes from the cluster, or assuming the identity of the cluster in a MITM attack. This vulnerability only affects Ganeti clusters meeting the following criterias: * The cluster is running Ganeti version 2.10.0 or higher. * The upgrade command was run, for example when upgrading from 2.10 to 2.11. * Unprivileged users have access to the host machines and in particular to the cluster master. In the fixed releases the upgrade command sets the permissions of the archives properly. However, in case previous versions have created an unsafe archive already, the following mitigations are advised: * Remove the access to the archive for unprivileged users (for example by running 'chmod 400 /var/lib/ganeti*.tar'). * Renew the SSL keys by running 'gnt-cluster renew-crypto'. You may need to pass the --new-cluster-certificate, --new-confd-hmac-key, --new-rapi-certificate, --new-spice-certificate and --new-cluster-domain-secret flags. * Renew the RAPI credentials by editing the '/var/lib/ganeti/rapi_users' file. Note that this will need to be updated in any out-of-the-cluster RAPI client. * Look for any other information regarded as secret in '/var/lib/ganeti' and change it. For example VNC and SPICE passwords are not by default kept there, but could, if Ganeti is so configured. Affected version: Ganeti >= 2.10.0, <= 2.10.6 Ganeti >= 2.11.0, <= 2.11.4 Fixed version: Ganeti >= 2.10.7 Ganeti >= 2.11.5 Credit: vulnerability report, PoC received from Ganeti authors Helga Velroyen and Guido Trotter , patch created by Apollon Oikonomopoulos. CVE: N/A Timeline: 2014-08-07: vulnerability report received 2014-08-07: disclosure coordinated on 2014-08-12 2014-08-08: contacted affected vendors 2014-08-12: advisory release References: http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0 Permalink: http://www.ocert.org/advisories/ocert-2014-006.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"