(encrypted) root passwords are world readable
This is related to #39.
Essentially I do ask for the same feature, but I believe it is not a feature request, but a major security issue.
Right now anyone can download the external nodes YAML without any limitation. For a really basic setup (that doesn't even use external nodes) it looks like this:
foreman_env: &id001 production
owner_name: Admin User
As you can see this makes the hash of the root password world readable.
The access to the external nodes script should be limited.
Maybe simply by checking the remote ip address against an array of configured addresses. We definitely need to set the default to no access.
We did move the password hashes from /etc/passwd to /etc/shadow in the early nineties by intent: they should not be world-readable.
fixes #2069 - use a random salt when saving the root password
CVE-2013-0173: insecure fixed salt "foreman" for passwords
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.
refs #2069 - enable auth by default
Without authentication, sensitive information and power is available to all,
so improve security out of the box.
#1 Updated by Sam Kottler almost 6 years ago
- Category changed from External Nodes to Security
- Assignee deleted (
- Priority changed from High to Normal
I agree this would be a nice to have, but it's not a security risk if you're ensuring that your systems don't use MD5 (and maybe not SHA-1). Even using SHA-1 is relatively safe, though because a lot of effort is required to break it. If you use a 6 character password (too short IMO) it takes there are 6.236738252 × 10³⁵ permutations; it would take roughly 8.909626074×10²⁶ CPU years to crack it at 700,000,000 tries a second.
Also, this can be mitigated easily with iptables/firewalld/SG's. Ohad Levy - what do you think?
#2 Updated by Greg Sutcliffe almost 6 years ago
Personally I mitigate this by blocking root access via SSH+password as part of my initial puppet run (which I do during the installer).
However, it is something we should fix at some point. Perhaps we should add a Setting (default to Off) which is an array of IPs which are allowed to recieve externalnodes?
#4 Updated by Andreas Rogge almost 6 years ago
I see two issues here:
1. The default configuration is insecure
All products should be shipped with secure defaults. This is not the case with foreman currently.
I also don't think that recent hashing algorithms work around the problem sufficiently, because by default foreman ships with a well known default password hash.
Whatever you say: this is not what I'd call secure by default.
2. There is no simple/obvious way to deny access to the YML
I googled the topic and there was no documentation available on how to limit access.
Also I haven't found a simple way to deny access. The Information is available through at least two different URLs, so URL pattern matching is probably not sufficient - I cannot be sure there isn't another URL I need to block.
Even if we choose to ship insecure by default, there should be a simple way to make this part of the system more secure.
#5 Updated by Dominic Cleal almost 6 years ago
- Priority changed from Normal to High
- Target version set to 1.1
- Difficulty changed from easy to medium
Proposal above of limiting access to smart proxy hosts by default has been posted here and in #2121:
In addition, we're looking to verify the SSL certs to ensure it's just the puppet process on the system that has access.
#7 Updated by Dominic Cleal almost 6 years ago
- Status changed from Assigned to Ready For Testing
Some PRs submitted:
https://github.com/theforeman/foreman/pull/372 fixes password hashing (CVE-2013-0173)
https://github.com/theforeman/foreman/pull/373 restricts access to the ENC interface (CVE-2013-0174)
https://github.com/theforeman/puppet-foreman/pull/34 to support restricted access and enable login by default
I'd like to go further in restricting the viewing of hashes to authenticated users too, obfuscating them in ENC, host edit, settings and template previews, but that work isn't complete.
#11 Updated by Dominic Cleal almost 6 years ago
For users updating and hitting this change, please see the following documentation:
We appreciate it's a difficult change, but is necessary to improve the security of the application. If you have problems, do check the troubleshooting text in the manual, and do contact one of the Support channels.