Bug 2249273 (CVE-2023-6725) - CVE-2023-6725 tripleo-ansible: bind keys are world readable
Summary: CVE-2023-6725 tripleo-ansible: bind keys are world readable
Keywords:
Status: NEW
Alias: CVE-2023-6725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2239495 2249276 2249274 2249275
Blocks: 2240099
TreeView+ depends on / blocked
 
Reported: 2023-11-11 21:26 UTC by Nick Tait
Modified: 2024-03-20 15:03 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Nick Tait 2023-11-11 21:26:56 UTC 
Description of problem:

The /etc/designate directory, /etc/designate/private, and /etc/designate/private/bind1.conf files are all world readable.
This exposes the RNDC keys to anyone able access the container.

Inside the container:
$ ls -al /etc/designate/
total 88
drwxr-xr-x. 1 root root         80 Sep 11 17:41 .
drwxr-xr-x. 1 root root         55 Sep 11 17:41 ..
-rw-r-----. 1 root designate 70205 Sep 11 16:31 designate.conf
-rw-r-----. 1 root designate  6060 Sep 11 16:31 policy.yaml
-rw-r--r--. 1 root root       2125 Sep 11 16:44 pools.yaml
drwxr-xr-x. 2 root root         60 Sep 11 17:41 private
-rw-r-----. 1 root designate   949 Jul  8  2022 rootwrap.conf

$ ls -al /etc/designate/private/
total 12
drwxr-xr-x. 2 root root  60 Sep 11 17:41 .
drwxr-xr-x. 1 root root  80 Sep 11 17:41 ..
-rw-r--r--. 1 root root 196 Sep 11 16:27 bind1.conf
-rw-r--r--. 1 root root 196 Sep 11 16:27 bind2.conf
-rw-r--r--. 1 root root 196 Sep 11 16:27 bind3.conf

On the overcloud host:
$ ls -al /var/lib/config-data/puppet-generated/designate/etc/designate/private/bind1.conf
-rw-r--r--. 1 root root 196 Sep 11 16:27 /var/lib/config-data/puppet-generated/designate/etc/designate/private/bind1.conf
Comment 9 Anten Skrabec 2024-03-15 13:15:58 UTC 
I've added you as reporter credit to the CVE page, if you'd prefer not to be credited or there's someone else who should be on it too, let me know and I modify it.
Comment 10 Michael Johnson 2024-03-20 15:03:01 UTC 
I have no problem with that.
Note You need to log in before you can comment on or make changes to this bug.