Bug #14866
closed
It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted
Description
There is no consistency check between the node id and the userId in the certificate's subject name when receiving an inventory, so it is possible to provide a certificate with a different node id and get the inventory accepted.
It may also be possible to provide a different certificate in a new inventory after taking control of an existing node (but signed with the previous one), which would be easier to exploit.
Then it is possible to download the targeted Windows node's policies as apache has no way to know the node associated with a certificate except from the content of the certificate itself.
It is not possible with Unix agents as the link between a uuid and a public key is based on ldap content directly.
Updated by Alexis Mousset almost 5 years ago
- Subject changed from It [may be] possible to download policies from any Windowsnode knowing its uuid by getting a forged inventory accepted to It [may be] possible to download policies from any Windows node knowing its id by getting a forged inventory accepted
Updated by Alexis Mousset almost 5 years ago
- Related to User story #6363: Secure agent/server communication added
Updated by Alexis Mousset almost 5 years ago
- Subject changed from It [may be] possible to download policies from any Windows node knowing its id by getting a forged inventory accepted to It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted
- Description updated (diff)
Updated by Alexis Mousset almost 5 years ago
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Effort required set to Small
- Priority changed from 0 to 91
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 5.0.10 to 5.0.11
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 5.0.11 to 5.0.12
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 5.0.12 to 5.0.13
- Priority changed from 91 to 90
Updated by François ARMAND almost 5 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND almost 5 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/2309
Updated by Rudder Quality Assistant almost 5 years ago
- Assignee changed from Vincent MEMBRÉ to François ARMAND
Updated by François ARMAND almost 5 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|c78fa2f7a751106578b8fef2635414c171808ecb.
Updated by Vincent MEMBRÉ over 4 years ago
- Priority changed from 90 to 88
- Fix check set to To do
Updated by François ARMAND over 4 years ago
- Priority changed from 88 to 87
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ over 4 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 5.0.13 which was released today.
Updated by Alexis Mousset almost 4 years ago
- Category changed from Web - Nodes & inventories to Security
- Priority changed from 87 to 76
Updated by Alexis Mousset 9 months ago
- Private changed from Yes to No
- Priority changed from 76 to 0