Bug 1565969 - etcd: etcd on RH Atomic Host, exposed and with authentication disabled by default
Summary: etcd: etcd on RH Atomic Host, exposed and with authentication disabled by def...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1560338
TreeView+ depends on / blocked
 
Reported: 2018-04-11 08:09 UTC by Riccardo Schirone
Modified: 2021-02-17 00:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: ---
Doc Text:
It was discovered that when etcd is installed in Red Hat Enterprise Linux Atomic Host in a non-cloud environment, it is exposed to the world and does not enable authentication by default. A remote attacker could exploit this to access passwords, secret keys, and other data.
Clone Of:
Environment:
Last Closed: 2018-05-07 07:44:34 UTC


Attachments (Terms of Use)

Description Riccardo Schirone 2018-04-11 08:09:51 UTC
etcd, when installed on Red Hat Enterprise Linux Atomic Host on non-cloud
environments, is exposed to the world and it does not enable authentication by
default. A remote attacker could exploit this to access passwords, secret keys
and other data.


Additional References:
https://www.theregister.co.uk/2018/03/20/etcd_defaults_to_insecure/
https://arstechnica.com/information-technology/2018/03/thousands-of-servers-found-leaking-750-mb-worth-of-passwords-and-keys/

Comment 1 Riccardo Schirone 2018-04-11 08:10:01 UTC
Mitigation:

Configure a firewall to prevent etcd from being exposed to the world and enable TLS authentication for both clients and servers.
When Red Hat Enterprise Linux Atomic Host is installed in a cloud environment an external firewall is usually applied.

Comment 2 Riccardo Schirone 2018-05-07 07:44:34 UTC
Closing as NOTABUG since no sensitive information is stored by default in etcd when used in this configuration.


Note You need to log in before you can comment on or make changes to this bug.