It was reported that engine-setup logs for RHEV-M contained enough information for extraction of admin password for RHEV-M. Specifically, it contains output of each SQL query with encrypted admin password from the database, and the result of esch external command execution including the openssl command that extracts the private key from the p12 bundle. Having both, encrypted password and private key in the same file gives ability for everyone, who is able to read log file, to obtain admin password. This issue was introduced with following commit: https://gerrit.ovirt.org/#/c/43578
Acknowledgments: Name: Simone Tiraboschi (Red Hat)
The regex for the log files (assuming not renamed) is basically ovirt-engine-setup-[0-9]+-[0-9a-z]+.log bz query for attachments called that: https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&bug_status=CLOSED&f1=attachments.filename&list_id=5172899&o1=regexp&query_format=advanced&v1=ovirt-engine-setup-%5B0-9%5D%2B-%5B0-9a-z%5D%2B.log which results in 82 bugs. Searching the attachments (about 29 with the correct filename, not sure what's up with that) results in 3 with private keys, luckily all internal test instances: Found 3 instances of the log file with “BEGIN PRIVATE KEY” https://bugzilla.redhat.com/attachment.cgi?id=1130810 https://bugzilla.redhat.com/show_bug.cgi?id=1195131 2016-02-25 15:39:40 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 10-34-60-141.rhev.lab.eng.brq.redhat.com resolves to: set(['10.34.60.141']) https://bugzilla.redhat.com/attachment.cgi?id=1128009 https://bugzilla.redhat.com/show_bug.cgi?id=1309448 2016-02-17 20:58:09 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config plugin.executeRaw:828 execute: ['/usr/bin/dig', 'rhevm-3.qa.lab.tlv.redhat.com'], executable='None', cwd='None', env=None https://bugzilla.redhat.com/attachment.cgi?id=1118830 https://bugzilla.redhat.com/show_bug.cgi?id=1302374 2016-01-27 15:34:44 DEBUG otopi.plugins.ovirt_engine_setup.websocket_proxy.config hostname._validateFQDNresolvability:195 rhevm-3.qa.lab.tlv.redhat.com resolves to: set(['10.35.64.13'])
I found the issue working on this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1333943 It's from a customer and it's not in the short list at comment 3 probably because the reported changed the attachment description.
(In reply to Kurt Seifried from comment #3) > Found 3 instances of the log file with “BEGIN PRIVATE KEY” > > > https://bugzilla.redhat.com/attachment.cgi?id=1130810 > https://bugzilla.redhat.com/show_bug.cgi?id=1195131 Looking at this, I also see a similar but different issue: For the same reasons, we are also showing in logs the private key of the vmconsole proxy. Here an instance: 2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:828 execute: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), executable='None', cwd='None', env=None 2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.executeRaw:878 execute-result: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-'), rc=0 2016-02-25 15:45:55 DEBUG otopi.plugins.ovirt_engine_setup.vmconsole_proxy_helper.pki plugin.execute:936 execute-output: ('/usr/share/ovirt-engine/bin/pki-pkcs12-extract.sh', '--name=vmconsole-proxy-helper', '--passin=**FILTERED**', '--key=-') stdout: Bag Attributes localKeyID: 0C DC 65 A0 9C B1 F3 A3 69 55 CF 48 11 77 CE 53 E0 50 12 A8 Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDkHeDDwuPOnQUr EUDWVjvOH5RIn/Jxmpd+lvkSWLY+v63P6U746iiqNK1AeCd+wFmNPpYtzUVnkKmQ vmconsole proxy is a optional service that let the user connect via ssh (using a proxy service to traslate it) to the serial console of a running VM. So, if the private key of the vmconsole proxy is compromised, all the ssh traffic to the VM through the proxy is not secure anymore.
Does this affect 3.6/4.0?
(In reply to Yaniv Dary from comment #7) > Does this affect 3.6/4.0? Filtering out private keys was done in [1]. It was included in otopi-1.4.2, released in [2], and in otopi-1.5.0_beta1, included in 4.0 RC (perhaps earlier). Please note that this does not cover existing log files. Probably customers should be advised to protect their logs. I know that SRT looked at this, not sure about the results. At the time, I checked fubar, and found several hundred log files with private keys in them. [1] https://gerrit.ovirt.org/#/q/If27a19f7725dd53fd4bf2e420bd17135a2102d67,n,z [2] https://errata.devel.redhat.com/advisory/23785
This issue has been addressed in the following products: RHEV Manager version 3.6 Via RHSA-2016:1929 https://rhn.redhat.com/errata/RHSA-2016-1929.html