Bug #19442
closed
Command injection in plugins repository file names
Added by Alexis Mousset almost 3 years ago.
Updated 9 months ago.
Description
Currently rudder-pkg runs a gpg command in a shell after downloading a file from the server.
One of the gpg command parameter is built from the remote file name, it is hence possible to run a command as root with a specially crafted file name.
This happens before signature check so an attacker would only have to impersonnate the plugins server (which uses https by default) to take control of a server.
- Description updated (diff)
- Assignee set to Félix DALLIDET
- Status changed from New to In progress
- Status changed from In progress to Pending technical review
- Assignee changed from Félix DALLIDET to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/3681
- Status changed from Pending technical review to Pending release
- Fix check changed from To do to Error - Blocking
The first use of rudder-pkg fails with:
centos8_server: downloading https://download.rudder.io/plugins/licenses/demo-normation/license.key
centos8_server: Could not execute ['gpg', '--batch', '--homedir', '/opt/rudder/etc/rudder-pkg', '--command-fd', '0', '--edit-key', '"Rudder Project"', 'trust', 'quit']
- Fix check changed from Error - Blocking to Error - Fixed
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.14 and 6.2.8 which were released today.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by