FFe: Unrestricted default RESTful interface on 127.0.0.1:8000
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Release Notes for Ubuntu |
Fix Released
|
Undecided
|
Unassigned | ||
isc-kea (Debian) |
Fix Released
|
Unknown
|
|||
isc-kea (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https:/
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades from previous versions (before $now), of this package with a "next/next/
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https:/
PPA build: https:/
DEP8 run for ppa18 (amd64 only):
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@
cat: /etc/kea/
ubuntu@
% Total % Received % Xferd Average Speed Time Time Time Current
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https:/
2. https:/
3. https:/
Related branches
- git-ubuntu bot: Approve
- Robie Basak: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 864 lines (+716/-3)16 files modifieddebian/NEWS (+39/-0)
debian/changelog (+22/-0)
debian/control (+2/-0)
debian/kea-ctrl-agent.config (+73/-0)
debian/kea-ctrl-agent.postinst (+72/-0)
debian/kea-ctrl-agent.postrm (+40/-0)
debian/kea-ctrl-agent.service (+1/-0)
debian/kea-ctrl-agent.templates (+34/-0)
debian/patches/0011-kea-ctrl-agent-authentication.patch (+23/-0)
debian/patches/series (+1/-0)
debian/po/POTFILES.in (+1/-0)
debian/po/templates.pot (+110/-0)
debian/tests/control (+6/-0)
debian/tests/kea-ctrl-agent-debconf (+254/-0)
debian/tests/kea-dhcp4 (+15/-1)
debian/tests/smoke-tests (+23/-2)
summary: |
- Disable the RESTful interface on 127.0.0.1:8000 + Unrestricted default RESTful interface on 127.0.0.1:8000 |
Changed in isc-kea (Ubuntu): | |
status: | New → Triaged |
Changed in isc-kea (Ubuntu): | |
importance: | Undecided → High |
tags: | added: server-todo |
Changed in isc-kea (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
summary: |
- Unrestricted default RESTful interface on 127.0.0.1:8000 + FFe: Unrestricted default RESTful interface on 127.0.0.1:8000 |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in isc-kea (Debian): | |
status: | Unknown → New |
description: | updated |
description: | updated |
description: | updated |
Changed in isc-kea (Debian): | |
status: | New → Fix Released |
Adding this block to the kea-ctrl-agent.conf file worked: tion": {
"directory" : "/etc/kea",
"user- file": "user.txt",
"password- file": "password.txt"
"authentica
"type": "basic",
"realm": "isc-kea DHCP server",
"clients": [
{
}
]
},
Note how there can only be one file per client, but you can have multiple clients.
If going down that route, of having a default api user/password, how do we make this part of the package? Just change our default config, and adjust postinst to generate these two files?
Time to think...