Bug #14866
closed
It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted
Added by Alexis Mousset over 5 years ago.
Updated over 1 year ago.
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Description
There is no consistency check between the node id and the userId in the certificate's subject name when receiving an inventory, so it is possible to provide a certificate with a different node id and get the inventory accepted.
It may also be possible to provide a different certificate in a new inventory after taking control of an existing node (but signed with the previous one), which would be easier to exploit.
Then it is possible to download the targeted Windows node's policies as apache has no way to know the node associated with a certificate except from the content of the certificate itself.
It is not possible with Unix agents as the link between a uuid and a public key is based on ldap content directly.
- Subject changed from It [may be] possible to download policies from any Windowsnode knowing its uuid by getting a forged inventory accepted to It [may be] possible to download policies from any Windows node knowing its id by getting a forged inventory accepted
- Subject changed from It [may be] possible to download policies from any Windows node knowing its id by getting a forged inventory accepted to It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted
- Description updated (diff)
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Effort required set to Small
- Priority changed from 0 to 91
- Target version changed from 5.0.10 to 5.0.11
- Target version changed from 5.0.11 to 5.0.12
- Target version changed from 5.0.12 to 5.0.13
- Priority changed from 91 to 90
- Status changed from New to In progress
- Assignee set to François ARMAND
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/2309
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Status changed from Pending technical review to Pending release
- Priority changed from 90 to 88
- Fix check set to To do
- Priority changed from 88 to 87
- Fix check changed from To do to Checked
- Status changed from Pending release to Released
This bug has been fixed in Rudder 5.0.13 which was released today.
- Category changed from Web - Nodes & inventories to Security
- Priority changed from 87 to 76
- Private changed from Yes to No
- Priority changed from 76 to 0
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by