Bug 1322706 (CVE-2016-3095)

Summary: CVE-2016-3095 pulp: Potential leakage when generating new CA key in /tmp
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkearney, cpelland, jalberts, mmccune, ohadlevy, rbarlow, security-response-team, tjay, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-31 18:40:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1322708    

Description Adam Mariš 2016-03-31 07:48:56 UTC
It was found that newly generated CA keys by running pulp-gen-ca-certificate (which is run by spec file when pulp is installed) script are insufficiently protected against reading by other users for the time the script runs.

Vulnerable code:

https://github.com/pulp/pulp/blob/2.8.0/server/bin/pulp-gen-ca-certificate

Comment 1 Adam Mariš 2016-03-31 07:49:06 UTC
Acknowledgments:

Name: Randy Barlow (Red Hat)

Comment 2 Randy Barlow 2016-03-31 14:41:54 UTC
This upstream pull request fixes this issue and also raises the size of the default CA key:

https://github.com/pulp/pulp/pull/2503

Comment 3 Mike McCune 2016-03-31 15:17:43 UTC
Satellite 6's use of Pulp does not utilize certificate based authentication to Pulp's API, we only authenticate via OAuth so it appears that our product is not vulnerable to this CVE.

Comment 4 Mike McCune 2016-03-31 15:18:42 UTC
IRC conversation with Randy for a bit more details:

<bowlofeggs> do you know if katello/satellite uses pulp's internal cacert or not? https://bugzilla.redhat.com/show_bug.cgi?id=1322706 is about how there is a low impact vulnerability during the generation of those certs
<bowlofeggs> the way you could tell is if the cacert setting in pulp's server.conf is commented or not
<bowlofeggs> or, if you replace the file with katello installer
<mmccune> checking
<mmccune> # consumer_cert_expiration: number of days a consumer certificate is valid
<mmccune> cacert: /etc/pki/pulp/ca.crt
<bowlofeggs> this would be in the [security] section
<mmccune> that?
<bowlofeggs> yeah
<mmccune> let me see if we generate that
<bowlofeggs> so it's uncommented, but it's also set to the default
<mmccune> yup
<bowlofeggs> pulp has a little utility called pulp-gen-ca-cert (or somethinglike that) that our spec file runs during install
<bowlofeggs> you do generate that file yourself?
<bowlofeggs> do you use our utility?
<bowlofeggs> or do you do it all on your own?
<mmccune> checking
* bowlofeggs crosses fingers
<mmccune> what uses that CA cert?
<bowlofeggs> this CA cert is used by two things - when a pulp login call happens, that CA generates a client cert/key that is handed back on the response
<bowlofeggs> secondly, that CA is used by httpd to authenticate any calls that use certificate auth
<mmccune> we only use oauth to talk to pulp
<mmccune> yeah, we dont generate or touch that file
<bowlofeggs> oh interesting
<mmccune> so it is relying on whatever you do in %post
<bowlofeggs> if you only use oauth and never use certificates, then you are not vulnerable
<mmccune> nothing uses cert auth in sat6 to talk to pulp
<bowlofeggs> cool
<bowlofeggs> do you want to make that comment on the bug, or do you want me to?
<mmccune> i got it
<bowlofeggs> excellent. thanks mike!
<bowlofeggs> it's def a low severity bug anyway, but i wanted to inform product security on whether the product needed a fix or not
<bowlofeggs> we can just fix it upstream
<bowlofeggs> feel free to paste this convo in the bug if you want
<mmccune> yeah, we can just get it for free in 6.2 if it lands in 2.8.X
<bowlofeggs> yeah i think it'll be in 2.8.2

Comment 5 Kurt Seifried 2016-03-31 17:57:36 UTC
RHUI 2.x is also notaffected as it uses an older version that doesn't ship this.

Comment 6 Kurt Seifried 2016-03-31 18:36:10 UTC
RHUI 3 will have pulp 2.8.2 or later.

Comment 7 Kurt Seifried 2016-03-31 18:40:46 UTC
Statement:

This issue did not affect the versions of pulp as shipped with Red Hat Satellite 6.x and Red Hat Update Infrastructure 2.x as they did not include support for pulp-gen-ca-certificate.