Bug #18286
closed
Agents fail to check their policy server's identity
Added by Alexis Mousset over 3 years ago.
Updated 9 months ago.
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
Description
The situation:
- With protocol v1 changing server certs prevented connection from nodes (but very likely because of a bug more than a security check), and required removing server public key on nodes
Authentication failure: private decrypt of received challenge failed (padding check failed)
- With protocol v2 nodes always trusts nodes having an IP matching the one configured (or resolved from hostname) as policy server.
We promise at least a TOFU on these connections, with the ability to securely provision nodes.
In the current situation, an attacker only needs to use the root or relay IP or poison the DNS, and can take control of the nodes (even without knowing their ids as code can be injected in ncf).
- Subject changed from Agent only check server IP when downloading policies to Agents only check server IP when downloading policies
- Status changed from New to In progress
- Assignee set to Alexis Mousset
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1625
- Related to Bug #18289: Missing system variable "POLICY_SERVER_KEY" added
No relay¶
When there are no relay servers we can:
- Remove
trustkey from copy_from bodies in initial and generated policies
- Empty
trustkeysfrom on non policy server nodes
- => These ensure bootstrap policies are the only place we allow nodes to establish trust with their server. Once bootstrapped (and if not reset) the node will only trust its server.
The key point is that root server do not download policies from a server but executes them locally, and only accepts remote-run from local addresses. This makes it immune to the described attack which only affect nodes and relays.
With this:
- We have TOFU back by default
- We allow secured bootstrapping
With relays¶
We need all from previous section, but it's trickier as we need the relay to allow connections from managed nodes and to download policies from a remote server
Idea¶
Add an admit_key for policy update (could be global to the agent for all connections with a copyfrom_restrict_keys => { ... } in body agent control, cannot be admit_keys as we can't provide a meaningful default value). This makes the security model really simple, but is some work, and may not be upstreamed.
- Target version changed from 6.1.6 to 5.0.20
- Status changed from Pending technical review to In progress
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request changed from https://github.com/Normation/rudder-techniques/pull/1625 to https://github.com/Normation/rudder-techniques/pull/1626
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Related to Bug #18297: Store policy server key hash separately to establish a specific trust added
- Related to Bug #18293: Bootstrap should only trustkey if it has no trusted key yet added
- Status changed from Pending technical review to Pending release
- Subject changed from Agents only check server IP when downloading policies to Agents fail to check their policy server's identity
- Name check changed from To do to Reviewed
- Fix check changed from To do to Checked
- Related to Bug #18408: Factory reset does not work - techniques added
- Related to Bug #18407: Factory reset does not work added
This bug has been fixed in Rudder 5.0.20, 6.0.10, 6.1.6, 6.2.0~beta1 which were released by the end of October 2020.
- Status changed from Pending release to Released
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by