Bug 1335106 (CVE-2016-4443)

Summary: CVE-2016-4443 org.ovirt.engine-root: engine-setup logs contained information for extracting admin password
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, alonbl, bmcclain, dblechte, didi, fdeutsch, gklein, grocha, lsurette, mgoldboi, michal.skrivanek, nlevinki, nobody, rbalakri, rfortier, sbonazzo, security-response-team, sgirijan, sherold, sisharma, slong, smohan, srevivo, ssaha, stirabos, vbellur, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in RHEV Manager, where it wrote sensitive data to the engine-setup log file. A local attacker could exploit this flaw to view sensitive information such as encryption keys and certificates (which could then be used to steal other sensitive information such as passwords).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-21 21:16:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1358572, 1370288    
Bug Blocks: 1335118    

Description Adam Mariš 2016-05-11 11:31:45 UTC 
It was reported that engine-setup logs for RHEV-M contained enough information for extraction of admin password for RHEV-M. Specifically, it contains output of each SQL query with encrypted admin password from the database, and the result of esch external command execution including the openssl command that extracts the private key from the p12 bundle. Having both, encrypted password and private key in the same file gives ability for everyone, who is able to read log file, to obtain admin password.

This issue was introduced with following commit:

https://gerrit.ovirt.org/#/c/43578
Comment 1 Adam Mariš 2016-05-11 11:31:53 UTC 
Acknowledgments:

Name: Simone Tiraboschi (Red Hat)
Comment 3 Kurt Seifried 2016-05-25 05:12:20 UTC 
The regex for the log files (assuming not renamed) is basically ovirt-engine-setup-[0-9]+-[0-9a-z]+.log

bz query for attachments called that:

https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&bug_status=CLOSED&f1=attachments.filename&list_id=5172899&o1=regexp&query_format=advanced&v1=ovirt-engine-setup-%5B0-9%5D%2B-%5B0-9a-z%5D%2B.log

which results in 82 bugs. Searching the attachments (about 29 with the correct filename, not sure what's up with that) results in 3 with private keys, luckily all internal test instances:

Found 3 instances of the log file with “BEGIN PRIVATE KEY”


https://bugzilla.redhat.com/attachment.cgi?id=1130810
https://bugzilla.redhat.com/show_bug.cgi?id=1195131
2016-02-25 15:39:40 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 10-34-60-141.rhev.lab.eng.brq.redhat.com resolves to: set(['10.34.60.141'])


https://bugzilla.redhat.com/attachment.cgi?id=1128009
https://bugzilla.redhat.com/show_bug.cgi?id=1309448
2016-02-17 20:58:09 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config plugin.executeRaw:828 execute: ['/usr/bin/dig', 'rhevm-3.qa.lab.tlv.redhat.com'], executable='None', cwd='None', env=None


https://bugzilla.redhat.com/attachment.cgi?id=1118830
https://bugzilla.redhat.com/show_bug.cgi?id=1302374
2016-01-27 15:34:44 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 rhevm-3.qa.lab.tlv.redhat.com resolves to: set(['10.35.64.13'])
Comment 4 Simone Tiraboschi 2016-05-25 07:42:42 UTC 
I found the issue working on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1333943

It's from a customer and it's not in the short list at comment 3 probably because the reported changed the attachment description.
Comment 5 Simone Tiraboschi 2016-05-25 08:35:29 UTC 
(In reply to Kurt Seifried from comment #3)
> Found 3 instances of the log file with “BEGIN PRIVATE KEY”
> 
> 
> https://bugzilla.redhat.com/attachment.cgi?id=1130810
> https://bugzilla.redhat.com/show_bug.cgi?id=1195131

Looking at this, I also see a similar but different issue:

For the same reasons, we are also showing in logs the private key of the vmconsole proxy. Here an instance:


2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:828 execute: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), executable='None', cwd='None', env=None
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:878 execute-result: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), rc=0
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.execute:936 execute-output: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-') stdout:
Bag Attributes
    localKeyID: 0C DC 65 A0 9C B1 F3 A3 69 55 CF 48 11 77 CE 53 E0 50 12 A8 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDkHeDDwuPOnQUr
EUDWVjvOH5RIn/Jxmpd+lvkSWLY+v63P6U746iiqNK1AeCd+wFmNPpYtzUVnkKmQ


vmconsole proxy is a optional service that let the user connect via ssh (using a proxy service to traslate it) to the serial console of a running VM.
So, if the private key of the vmconsole proxy is compromised, all the ssh traffic to the VM through the proxy is not secure anymore.
Comment 7 Yaniv Lavi 2016-08-14 09:05:19 UTC 
Does this affect 3.6/4.0?
Comment 8 Yedidyah Bar David 2016-08-15 10:50:18 UTC 
(In reply to Yaniv Dary from comment #7)
> Does this affect 3.6/4.0?

Filtering out private keys was done in [1].

It was included in otopi-1.4.2, released in [2], and in otopi-1.5.0_beta1, included in 4.0 RC (perhaps earlier).

Please note that this does not cover existing log files. Probably customers should be advised to protect their logs. I know that SRT looked at this, not sure about the results. At the time, I checked fubar, and found several hundred log files with private keys in them.

[1] https://gerrit.ovirt.org/#/q/If27a19f7725dd53fd4bf2e420bd17135a2102d67,n,z
[2] https://errata.devel.redhat.com/advisory/23785
Comment 10 errata-xmlrpc 2016-09-21 18:03:54 UTC 
This issue has been addressed in the following products:

  RHEV Manager version 3.6

Via RHSA-2016:1929 https://rhn.redhat.com/errata/RHSA-2016-1929.html