Bug 2249273 (CVE-2023-6725)

Summary: CVE-2023-6725 tripleo-ansible: bind keys are world readable
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: beagles, eglynn, jjoyce, jschluet, lhh, lsvaty, mburns, mgarciac, michjohn, njohnston, pgrist, rhos-maint, scohen, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2239495, 2249276, 2279579, 2249274, 2249275    
Bug Blocks: 2240099    

Description Nick Tait 2023-11-11 21:26:56 UTC 
Description of problem:

The /etc/designate directory, /etc/designate/private, and /etc/designate/private/bind1.conf files are all world readable.
This exposes the RNDC keys to anyone able access the container.

Inside the container:
$ ls -al /etc/designate/
total 88
drwxr-xr-x. 1 root root         80 Sep 11 17:41 .
drwxr-xr-x. 1 root root         55 Sep 11 17:41 ..
-rw-r-----. 1 root designate 70205 Sep 11 16:31 designate.conf
-rw-r-----. 1 root designate  6060 Sep 11 16:31 policy.yaml
-rw-r--r--. 1 root root       2125 Sep 11 16:44 pools.yaml
drwxr-xr-x. 2 root root         60 Sep 11 17:41 private
-rw-r-----. 1 root designate   949 Jul  8  2022 rootwrap.conf

$ ls -al /etc/designate/private/
total 12
drwxr-xr-x. 2 root root  60 Sep 11 17:41 .
drwxr-xr-x. 1 root root  80 Sep 11 17:41 ..
-rw-r--r--. 1 root root 196 Sep 11 16:27 bind1.conf
-rw-r--r--. 1 root root 196 Sep 11 16:27 bind2.conf
-rw-r--r--. 1 root root 196 Sep 11 16:27 bind3.conf

On the overcloud host:
$ ls -al /var/lib/config-data/puppet-generated/designate/etc/designate/private/bind1.conf
-rw-r--r--. 1 root root 196 Sep 11 16:27 /var/lib/config-data/puppet-generated/designate/etc/designate/private/bind1.conf
Comment 9 Anten Skrabec 2024-03-15 13:15:58 UTC 
I've added you as reporter credit to the CVE page, if you'd prefer not to be credited or there's someone else who should be on it too, let me know and I modify it.
Comment 10 Michael Johnson 2024-03-20 15:03:01 UTC 
I have no problem with that.