Contrail creates cert bundles with wide open file permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Juniper Openstack |
New
|
Critical
|
Yijie Xiao | ||
R3.2 |
Fix Committed
|
Undecided
|
Shivayogi Ugaji | ||
OpenContrail |
New
|
Undecided
|
Shivayogi Ugaji |
Bug Description
Contrail version: 3.2.9.0-69
Contrail API creates a Cert/Key bundle under /tmp folder based on the certfile, keyfile and cafile parameters passed in via the configuration file. There are a few issues with this:
- bundle file is created with wide open file permissions (777) under the /tmp folder. If the bundle just has the CA cert, its not a big deal. However, based on the configuration for VNC api, it can have the cert and private key as well. This creates a security loophole as we are compromising the private key.
- since contrail web server is not capable of performing SSL termination itself, don't see a reason to have the certfile and keyfile parameters available to it. This should be a concern for haproxy running on the contrail controllers.
- If contrail really needs to create a bundle file, it should do it under a secure location, may be /etc/contrail with locked down file permissions and proper ownership.
Few cert bundles that I have seen with the issue:
ls -ltr /tmp/127_0_0_1/
total 8
-rwxrwxrwx 1 contrail contrail 7219 Apr 12 19:06 keystonecertbun
ls -ltr /tmp/wpc-
total 16
-rwxrwxrwx 1 root root 7219 Apr 12 03:07 apiservercertbu
-rwxrwxrwx 1 root root 7219 Apr 12 03:07 keystonecertbun
information type: | Private Security → Public Security |
Changed in juniperopenstack: | |
importance: | Undecided → Critical |
milestone: | none → r3.2.12.0 |
assignee: | nobody → Ignatious Johnson Christopher (ijohnson-x) |
Changed in opencontrail: | |
assignee: | nobody → Shivayogi Ugaji (shivayogi123) |
Changed in juniperopenstack: | |
assignee: | Ignatious Johnson Christopher (ijohnson-x) → Shivayogi Ugaji (shivayogi123) |
Changed in juniperopenstack: | |
milestone: | r3.2.12.0 → none |
Changed in juniperopenstack: | |
assignee: | Shivayogi Ugaji (shivayogi123) → Yijie Xiao (yixiao2018) |
tags: | added: config |
Another cert bundle that I have seen with the issue is "discoverycertb undle.pem" when trying to enable TLS for contrail-discovery over HAProxy.