Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 519730 (CVE-2014-5247)

Summary: <app-emulation/ganeti-2.11.6-r2: insecure archive permission (CVE-2014-5247)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chutzpah, pinkbyte, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/08/12/1
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-08-12 14:20:39 UTC
From ${URL} :

Description:

Ganeti, an open source virtualisation manager, suffers from an insecure file
permission vulnerability that leads to sensitive information disclosure.

The Ganeti upgrade command 'gnt-cluster upgrade' creates an archive of the
current configuration of the cluster (e.g. the contents of
'/var/lib/ganeti').  The archive is named following the pattern ganet*.tar
and is written to '/var/lib/'. Such archives are written with too lax
permissions that make it possible to access them as unprivileged user.

The configuration archive contains sensitive information, including SSL keys
for the inter-node RPC communication as well as the credentials for the
remote API (RAPI). Such information can be used to control various operations
of the cluster, including shutting down and removing instances and nodes from
the cluster, or assuming the identity of the cluster in a MITM attack.

This vulnerability only affects Ganeti clusters meeting the following
criterias:

  * The cluster is running Ganeti version 2.10.0 or higher.
  * The upgrade command was run, for example when upgrading from 2.10 to
    2.11.
  * Unprivileged users have access to the host machines and in particular
    to the cluster master.

In the fixed releases the upgrade command sets the permissions of the
archives properly. However, in case previous versions have created an unsafe
archive already, the following mitigations are advised:

  * Remove the access to the archive for unprivileged users (for example
    by running 'chmod 400 /var/lib/ganeti*.tar').
  * Renew the SSL keys by running 'gnt-cluster renew-crypto'. You may need
    to pass the --new-cluster-certificate, --new-confd-hmac-key,
    --new-rapi-certificate, --new-spice-certificate and
    --new-cluster-domain-secret flags.
  * Renew the RAPI credentials by editing the '/var/lib/ganeti/rapi_users'
    file. Note that this will need to be updated in any out-of-the-cluster
    RAPI client.
  * Look for any other information regarded as secret in '/var/lib/ganeti'
    and change it. For example VNC and SPICE passwords are not by default
    kept there, but could, if Ganeti is so configured.

Affected version:

Ganeti >= 2.10.0, <= 2.10.6

Ganeti >= 2.11.0, <= 2.11.4

Fixed version:

Ganeti >= 2.10.7

Ganeti >= 2.11.5

Credit: vulnerability report, PoC received from Ganeti authors Helga Velroyen
       <helgav AT google.com> and Guido Trotter <ultrotter AT google.com>,
       patch created by Apollon Oikonomopoulos.

CVE: N/A

Timeline:

2014-08-07: vulnerability report received
2014-08-07: disclosure coordinated on 2014-08-12
2014-08-08: contacted affected vendors
2014-08-12: advisory release

References:
http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0

Permalink:
http://www.ocert.org/advisories/ocert-2014-006.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sergey Popov gentoo-dev 2016-02-15 08:22:21 UTC
2.11.6-r2 is long time in tree, we should stabilize it
Comment 2 Sergey Popov gentoo-dev 2016-02-15 18:32:01 UTC
2.11.6-r2 stabilized, vulnerable versions are masked

GLSA vote: No

@maintainers: please cleanup vulnerable versions