Bug 1202972 (CVE-2014-8174)

Summary:	CVE-2014-8174 eDeploy enovance: use of HTTP to download sensitive files
Product:	[Other] Security Response	Reporter:	Kurt Seifried <kseifried>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	jrusnack, weli
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-03-17 23:28:28 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1152549

Description Kurt Seifried 2015-03-17 19:57:07 UTC

Kurt Seifried of Red Hat reports:

edeploy uses HTTP to download a large number of sensitive files which can lead to code execution:


./ansible/edeploy-install.yml:      value=http://{{ ansible_default_ipv4["address"] }}/
./build/base.install:            echo "Acquire { Retries \"0\"; HTTP { Proxy \"http://${HTTP_PROXY}\"; }; };" >> "$target/etc/apt/apt.conf.d/01proxy"
./build/base.install:            curl -o ${target}/tmp/tar.deb http://ftp.debian.org/debian/pool/main/t/tar/tar_1.27.1-1~bpo70+1_${ARCH:=amd64}.deb
./build/base.install:            echo "deb http://security.ubuntu.com/ubuntu $dist-security main universe multiverse" >> ${target}/etc/apt/sources.list
./build/base.install:            echo "deb http://security.debian.org/ $dist/updates main" >  ${target}/etc/apt/sources.list.d/updates.list
./build/base.install:            wget -O - http://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key | do_chroot $target apt-key add -
./build/base.install:            echo "deb http://hwraid.le-vert.net/debian ${dist} main" > $target/etc/apt/sources.list.d/hwraid.list
./build/base.install:            wget -O - http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key | do_chroot $target apt-key add -
./build/base.install:            echo "deb http://hwraid.le-vert.net/ubuntu precise main" > $target/etc/apt/sources.list.d/hwraid.list
./build/base.install:            wget -O - http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key | do_chroot $target apt-key add -
./build/base.install:            echo "deb http://hwraid.le-vert.net/ubuntu ${dist} main" > $target/etc/apt/sources.list.d/hwraid.list
./build/base.install:            wget --no-verbose http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name -O $target/../../$package_name
./build/base.install:                http://downloads.linux.hp.com/SDR/downloads/ServicePackforProLiant/2013.02.0/hp/swpackages/hpacucli-9.40-12.0.x86_64.rpm
./build/base.install:        do_chroot $dir rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub
./build/base.install:        do_chroot $dir rpm --import http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub
./build/base.install:baseurl=http://downloads.linux.hp.com/repo/spp/rhel/$CODENAME_MAJOR.$CODENAME_MINOR/x86_64/current
./build/common:                    wget --no-verbose http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmlx4/$LIBMLX
./build/health-check.install:        PACKAGES="$PACKAGES numpy http://pkgs.repoforge.org/netperf/netperf-2.6.0-1.el6.rf.x86_64.rpm"
./build/health-check.install:            PACKAGES="$PACKAGES python-psutil http://pkgs.repoforge.org/fio/fio-2.1.7-1.el6.rf.x86_64.rpm http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm"
./build/health-check.install:            PACKAGES="$PACKAGES http://pkgs.repoforge.org/fio/fio-2.1.7-1.el7.rf.x86_64.rpm http://pkgs.repoforge.org/lshw/lshw-2.17-1.el7.rf.x86_64.rpm"
./build/init:    curl -s -S -o/configure -F section=${SECTION} -F file=@/hw.json http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py &
./build/init:        give_up "Curl exited as failed ($RET_CODE). Cannot get a configuration from http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py'"
./build/init:            log "Transferring files from http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy..."
./build/init:            curl -s -S http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy | gzip -d | tar x --xattrs --selinux -C $d || give_up "Unable to download http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy"
./build/init.common:         curl http://169.254.169.254/2009-04-04/user-data -fso /user-data -m 5 --retry 10 --retry-delay 2
./build/init.common:        curl -s -S -o/log.stats -F section=${SECTION} -F file=@/${log_file} http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py || :
./build/init.common:            curl -s -S -F section=${SECTION} -F failure=$PROFILE -F file=@/hw.json http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py
./build/init.health:curl -s -S $SESSION_CURL -F file=@/health.json http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py &
./build/init.health:    log "Curl exited as failed ($RET_CODE). Cannot get a configuration from http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py'"
./build/pxe.install:            PACKAGES="$PACKAGES http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm"
./build/repositories:            echo "http://http.debian.net/debian"
./build/repositories:            echo "http://archive.ubuntu.com/ubuntu"
./build/repositories:                    echo "http://mirror.centos.org/centos/6.5/os/x86_64/Packages/centos-release-6-5.el6.centos.11.1.x86_64.rpm"
./build/repositories:                    echo "http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm"
./build/repositories:            wget "http://dev.centos.org/centos/6/SCL/scl.repo" -O $dir/etc/yum.repos.d/scl.repo
Binary file ./build/sources/lshw matches
./server/edeploy.conf:PXEMNGRURL=http://192.168.122.1:8000/
./server/upload-health.py:$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py
./server/upload.py:$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py
./setup.cfg:home-page = http://www.enovance.com/
./src/sample_dmesg: Command line: BOOT_IMAGE=vmlinuz initrd=http://10.101.14.14/health.pxe DEBUG=1 SERV=10.101.14.14 HSERV=10.101.14.14 UPLOAD_LOG=1 IP=all:dhcp SESSION=smoke NONETWORKTEST=1 ONSUCCESS=console ONFAILURE=console |pci=bfsort|
./src/sample_dmesg: Kernel command line: BOOT_IMAGE=vmlinuz initrd=http://10.101.14.14/health.pxe DEBUG=1 SERV=10.101.14.14 HSERV=10.101.14.14 UPLOAD_LOG=1 IP=all:dhcp SESSION=smoke NONETWORKTEST=1 ONSUCCESS=console ONFAILURE=console |pci=bfsort|

Comment 1 Kurt Seifried 2015-03-17 23:28:28 UTC

This is now filed publicly https://github.com/enovance/edeploy/issues/230

Comment 2 Kurt Seifried 2015-03-19 04:16:20 UTC

Statement:

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.