It was reported that engine-setup logs for RHEV-M contained enough information for extraction of admin password for RHEV-M. Specifically, it contains output of each SQL query with encrypted admin password from the database, and the result of esch external command execution including the openssl command that extracts the private key from the p12 bundle. Having both, encrypted password and private key in the same file gives ability for everyone, who is able to read log file, to obtain admin password.
This issue was introduced with following commit:
Name: Simone Tiraboschi (Red Hat)
The regex for the log files (assuming not renamed) is basically ovirt-engine-setup-[0-9]+-[0-9a-z]+.log
bz query for attachments called that:
which results in 82 bugs. Searching the attachments (about 29 with the correct filename, not sure what's up with that) results in 3 with private keys, luckily all internal test instances:
Found 3 instances of the log file with “BEGIN PRIVATE KEY”
2016-02-25 15:39:40 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 10-34-60-141.rhev.lab.eng.brq.redhat.com resolves to: set(['10.34.60.141'])
2016-02-17 20:58:09 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config plugin.executeRaw:828 execute: ['/usr/bin/dig', 'rhevm-3.qa.lab.tlv.redhat.com'], executable='None', cwd='None', env=None
2016-01-27 15:34:44 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 rhevm-3.qa.lab.tlv.redhat.com resolves to: set(['10.35.64.13'])
I found the issue working on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1333943
It's from a customer and it's not in the short list at comment 3 probably because the reported changed the attachment description.
(In reply to Kurt Seifried from comment #3)
> Found 3 instances of the log file with “BEGIN PRIVATE KEY”
Looking at this, I also see a similar but different issue:
For the same reasons, we are also showing in logs the private key of the vmconsole proxy. Here an instance:
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:828 execute: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), executable='None', cwd='None', env=None
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:878 execute-result: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), rc=0
2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.execute:936 execute-output: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-') stdout:
localKeyID: 0C DC 65 A0 9C B1 F3 A3 69 55 CF 48 11 77 CE 53 E0 50 12 A8
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
vmconsole proxy is a optional service that let the user connect via ssh (using a proxy service to traslate it) to the serial console of a running VM.
So, if the private key of the vmconsole proxy is compromised, all the ssh traffic to the VM through the proxy is not secure anymore.
Does this affect 3.6/4.0?
(In reply to Yaniv Dary from comment #7)
> Does this affect 3.6/4.0?
Filtering out private keys was done in .
It was included in otopi-1.4.2, released in , and in otopi-1.5.0_beta1, included in 4.0 RC (perhaps earlier).
Please note that this does not cover existing log files. Probably customers should be advised to protect their logs. I know that SRT looked at this, not sure about the results. At the time, I checked fubar, and found several hundred log files with private keys in them.
This issue has been addressed in the following products:
RHEV Manager version 3.6
Via RHSA-2016:1929 https://rhn.redhat.com/errata/RHSA-2016-1929.html