Juniper Openstack

Contrail creates cert bundles with wide open file permissions

Bug #1784905 reported by Piyush Srivastava on 2018-08-01

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	New	Critical	Yijie Xiao
R3.2	Fix Committed	Undecided	Shivayogi Ugaji	Juniper Openstack r3.2.14.0
OpenContrail	New	Undecided	Shivayogi Ugaji

Bug Description

Contrail version: 3.2.9.0-69

Contrail API creates a Cert/Key bundle under /tmp folder based on the certfile, keyfile and cafile parameters passed in via the configuration file. There are a few issues with this:

- bundle file is created with wide open file permissions (777) under the /tmp folder. If the bundle just has the CA cert, its not a big deal. However, based on the configuration for VNC api, it can have the cert and private key as well. This creates a security loophole as we are compromising the private key.

- since contrail web server is not capable of performing SSL termination itself, don't see a reason to have the certfile and keyfile parameters available to it. This should be a concern for haproxy running on the contrail controllers.

- If contrail really needs to create a bundle file, it should do it under a secure location, may be /etc/contrail with locked down file permissions and proper ownership.

Few cert bundles that I have seen with the issue:

ls -ltr /tmp/127_0_0_1/
total 8
-rwxrwxrwx 1 contrail contrail 7219 Apr 12 19:06 keystonecertbundle.pem

ls -ltr /tmp/wpc-devprod1_svc_eng_pdx_wd/
total 16
-rwxrwxrwx 1 root root 7219 Apr 12 03:07 apiservercertbundle.pem
-rwxrwxrwx 1 root root 7219 Apr 12 03:07 keystonecertbundle.pem

Tags:

Piyush Srivastava (piyush0101) on 2018-08-22

information type:

Private Security → Public Security

Vineet Gupta (vineetrf) on 2018-08-22

Changed in juniperopenstack:
importance:	Undecided → Critical
milestone:	none → r3.2.12.0
assignee:	nobody → Ignatious Johnson Christopher (ijohnson-x)

Revision history for this message

Richard Gold (rich.gold) wrote on 2018-08-23:

Another cert bundle that I have seen with the issue is "discoverycertbundle.pem" when trying to enable TLS for contrail-discovery over HAProxy.

Revision history for this message

Ignatious Johnson Christopher (ijohnson-x) wrote on 2018-08-28:

With respect to the keystonecertbundle and apiservercertbundle, all the the contrail configs files accepts cacert and/or cert/key. So user/provisioning tool can populate only the cacert in the config file, so that the bundle created in /tmp will contain only the CA.

Similar fix is required for discovery ssl configs in various config files(will be fixed in next R3.2 minor release.

Ignatious Johnson Christopher (ijohnson-x) on 2018-09-17

Changed in opencontrail:
assignee:	nobody → Shivayogi Ugaji (shivayogi123)
Changed in juniperopenstack:
assignee:	Ignatious Johnson Christopher (ijohnson-x) → Shivayogi Ugaji (shivayogi123)

Jeba Paulaiyan (jebap) on 2018-09-19

Changed in juniperopenstack:
milestone:	r3.2.12.0 → none

Shivayogi Ugaji (shivayogi123) on 2018-09-19

Changed in juniperopenstack:
assignee:	Shivayogi Ugaji (shivayogi123) → Yijie Xiao (yixiao2018)

Jeba Paulaiyan (jebap) on 2018-09-19

tags:

added: config

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-12-07: [Review update] R3.2

Review in progress for https://review.opencontrail.org/48063
Submitter: Yijie Xiao (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-12-07:

Review in progress for https://review.opencontrail.org/48064
Submitter: Yijie Xiao (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-12-14: A change has been merged

Reviewed: https://review.opencontrail.org/48064
Committed: http://github.com/Juniper/contrail-controller/commit/917330e6273f386bdcebf9e10a90b093b9989c65
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 917330e6273f386bdcebf9e10a90b093b9989c65
Author: Yijie Xiao <email address hidden>
Date: Thu Dec 6 17:24:11 2018 -0800

Take only CA when generate the bundle

User/provisioning tool can populate only the cacert in the config file,
so that the bundle created in /tmp will contain only the CA.

Also change the performing of generated bundle files.

Change-Id: Id94d1372a8710ca58c673be5fffb2b8c2cea1770
Depend-on: Ib8eccf16534aa71776fe83c0ae7eefa2ff8e3fff
Closes-Bug: 1784905

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-12-14:

Reviewed: https://review.opencontrail.org/48063
Committed: http://github.com/Juniper/contrail-neutron-plugin/commit/a3887726b3ca88c28d646a6c2a3ec9d93b73f290
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit a3887726b3ca88c28d646a6c2a3ec9d93b73f290
Author: Yijie Xiao <email address hidden>
Date: Thu Dec 6 17:18:30 2018 -0800

Take only CA when generate the bundle

User/provisioning tool can populate only the cacert in the config file,
so that the bundle created in /tmp will contain only the CA.

Change-Id: Ib8eccf16534aa71776fe83c0ae7eefa2ff8e3fff
Partial-Bug: 1784905

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.