Bug 1335106 (CVE-2016-4443) - CVE-2016-4443 org.ovirt.engine-root: engine-setup logs contained information for extracting admin password
Summary: CVE-2016-4443 org.ovirt.engine-root: engine-setup logs contained information ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4443
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1358572 1370288
Blocks: 1335118
TreeView+ depends on / blocked
 
Reported: 2016-05-11 11:31 UTC by Adam Mariš
Modified: 2019-09-29 13:49 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in RHEV Manager, where it wrote sensitive data to the engine-setup log file. A local attacker could exploit this flaw to view sensitive information such as encryption keys and certificates (which could then be used to steal other sensitive information such as passwords).
Clone Of:
Environment:
Last Closed: 2016-09-21 21:16:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1929 normal SHIPPED_LIVE Moderate: Red Hat Virtualization Manager (RHV) bug fix 3.6.9 2016-09-21 21:57:10 UTC

Description Adam Mariš 2016-05-11 11:31:45 UTC
It was reported that engine-setup logs for RHEV-M contained enough information for extraction of admin password for RHEV-M. Specifically, it contains output of each SQL query with encrypted admin password from the database, and the result of esch external command execution including the openssl command that extracts the private key from the p12 bundle. Having both, encrypted password and private key in the same file gives ability for everyone, who is able to read log file, to obtain admin password.

This issue was introduced with following commit:

https://gerrit.ovirt.org/#/c/43578

Comment 1 Adam Mariš 2016-05-11 11:31:53 UTC
Acknowledgments:

Name: Simone Tiraboschi (Red Hat)

Comment 3 Kurt Seifried 2016-05-25 05:12:20 UTC
The regex for the log files (assuming not renamed) is basically ovirt-engine-setup-[0-9]+-[0-9a-z]+.log

bz query for attachments called that:

https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&bug_status=CLOSED&f1=attachments.filename&list_id=5172899&o1=regexp&query_format=advanced&v1=ovirt-engine-setup-%5B0-9%5D%2B-%5B0-9a-z%5D%2B.log

which results in 82 bugs. Searching the attachments (about 29 with the correct filename, not sure what's up with that) results in 3 with private keys, luckily all internal test instances:

Found 3 instances of the log file with “BEGIN PRIVATE KEY”


https://bugzilla.redhat.com/attachment.cgi?id=1130810
https://bugzilla.redhat.com/show_bug.cgi?id=1195131
2016-02-25 15:39:40 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 10-34-60-141.rhev.lab.eng.brq.redhat.com resolves to: set(['10.34.60.141'])


https://bugzilla.redhat.com/attachment.cgi?id=1128009
https://bugzilla.redhat.com/show_bug.cgi?id=1309448
2016-02-17 20:58:09 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config plugin.executeRaw:828 execute: ['/usr/bin/dig', 'rhevm-3.qa.lab.tlv.redhat.com'], executable='None', cwd='None', env=None


https://bugzilla.redhat.com/attachment.cgi?id=1118830
https://bugzilla.redhat.com/show_bug.cgi?id=1302374
2016-01-27 15:34:44 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 rhevm-3.qa.lab.tlv.redhat.com resolves to: set(['10.35.64.13'])

Comment 4 Simone Tiraboschi 2016-05-25 07:42:42 UTC
I found the issue working on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1333943

It's from a customer and it's not in the short list at comment 3 probably because the reported changed the attachment description.

Comment 5 Simone Tiraboschi 2016-05-25 08:35:29 UTC
(In reply to Kurt Seifried from comment #3)
> Found 3 instances of the log file with “BEGIN PRIVATE KEY”
> 
> 
> https://bugzilla.redhat.com/attachment.cgi?id=1130810
> https://bugzilla.redhat.com/show_bug.cgi?id=1195131

Looking at this, I also see a similar but different issue:

For the same reasons, we are also showing in logs the private key of the vmconsole proxy. Here an instance:


2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:828 execute: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), executable='None', cwd='None', env=None
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:878 execute-result: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), rc=0
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.execute:936 execute-output: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-') stdout:
Bag Attributes
    localKeyID: 0C DC 65 A0 9C B1 F3 A3 69 55 CF 48 11 77 CE 53 E0 50 12 A8 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDkHeDDwuPOnQUr
EUDWVjvOH5RIn/Jxmpd+lvkSWLY+v63P6U746iiqNK1AeCd+wFmNPpYtzUVnkKmQ


vmconsole proxy is a optional service that let the user connect via ssh (using a proxy service to traslate it) to the serial console of a running VM.
So, if the private key of the vmconsole proxy is compromised, all the ssh traffic to the VM through the proxy is not secure anymore.

Comment 7 Yaniv Lavi 2016-08-14 09:05:19 UTC
Does this affect 3.6/4.0?

Comment 8 Yedidyah Bar David 2016-08-15 10:50:18 UTC
(In reply to Yaniv Dary from comment #7)
> Does this affect 3.6/4.0?

Filtering out private keys was done in [1].

It was included in otopi-1.4.2, released in [2], and in otopi-1.5.0_beta1, included in 4.0 RC (perhaps earlier).

Please note that this does not cover existing log files. Probably customers should be advised to protect their logs. I know that SRT looked at this, not sure about the results. At the time, I checked fubar, and found several hundred log files with private keys in them.

[1] https://gerrit.ovirt.org/#/q/If27a19f7725dd53fd4bf2e420bd17135a2102d67,n,z
[2] https://errata.devel.redhat.com/advisory/23785

Comment 10 errata-xmlrpc 2016-09-21 18:03:54 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.6

Via RHSA-2016:1929 https://rhn.redhat.com/errata/RHSA-2016-1929.html


Note You need to log in before you can comment on or make changes to this bug.