Netplan

wireguard: netdev file can leak private key

Bug #1987842 reported by Andreas Hasenack on 2022-08-26

This bug affects 4 people

	Status	Importance	Assigned to
Netplan	Triaged	High	Unassigned
netplan.io (Ubuntu)	Status tracked in Oracular
Focal	Fix Released	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned
Mantic	Fix Released	Undecided	Unassigned
Noble	Fix Released	Undecided	Unassigned
Oracular	New	Undecided	Unassigned

Bug Description

When using netplan with wireguard, netplan will render the /run/systemd/network/10-netplan-${name}.netdev file with 0644 permissions.

That file contains the wireguard private key, which, if specified literally (instead of using a file), will leak that key to all local users of the system. This may not be desirable.

For example, I have this yaml in /etc/netplan/home0.yaml:
network:
  version: 2
  tunnels:
    home0:
      mode: wireguard
      key: <base64 private key contents>
      port: 51000
      addresses: [10.10.11.2/24]
      peers:
        - keys:
            public: <base64 public key contents>
          endpoint: 10.48.132.39:51000
          allowed-ips: [10.10.11.0/24,10.10.10.0/24]
      routes:
        - to: 10.10.10.0/24
          from: 10.10.11.2
          scope: link

When that is rendered and applied with `netplan apply`, this error is logged in /var/log/syslog:
Aug 26 14:23:30 laptop-coffee-shop systemd-networkd[537]: /run/systemd/network/10-netplan-home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.

And indeed, that file contains the same literal private key, as expected:

# cat /run/systemd/network/10-netplan-home0.netdev
[NetDev]
Name=home0
Kind=wireguard

[WireGuard]
PrivateKey=<base64 private key contents>
ListenPort=51000

[WireGuardPeer]
PublicKey=<base64 public key contents>
AllowedIPs=10.10.11.0/24,10.10.10.0/24
Endpoint=10.48.132.39:51000

Its permissions should probably be 0640 root:systemd-networkd.

This is not an issue if the private key is specified via a file, in which case systemd-networkd won't even issue that warning.

Tags:

CVE References

2022-4968

Revision history for this message

Lukas Märdian (slyon) wrote on 2022-08-29:

ACK. The rendered files should not be world readable.

Changed in netplan:
status:	New → Triaged
importance:	Undecided → High
tags:	added: fr-2634

Matthieu Clemenceau (mclemenceau) on 2022-09-10

tags:

added: foundations-todo

Revision history for this message

Lukas Märdian (slyon) wrote on 2024-05-21:

see also bug #2065738

Revision history for this message

Mark Esler (eslerm) wrote on 2024-05-23:

Please refer to this issue as CVE-2022-4968.

Danilo Egea Gondolfo (danilogondolfo) on 2024-05-31

tags:

removed: foundations-todo

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-06-26:

This bug was fixed in the package netplan.io - 1.0-2ubuntu1.1

---------------
netplan.io (1.0-2ubuntu1.1) noble-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0014-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0015-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files.
    - d/p/lp2066258/0016-backends-escape-file-paths.patch:
      Escape special characters in file paths.
    - d/p/lp2066258/0017-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units. (LP: #2066258)
  * debian/netplan-generator.postinst: Add a postinst maintainer script to call
    the generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

-- Sudhakar Verma <email address hidden> Tue, 25 Jun 2024 00:13:00 +0530

Changed in netplan.io (Ubuntu Noble):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-06-26:

This bug was fixed in the package netplan.io - 0.104-0ubuntu2~20.04.5

---------------
netplan.io (0.104-0ubuntu2~20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0015-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0016-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend files
    - d/p/lp2066258/0017-libnetplan-escape-file-paths.patch:
      Escape special characters in file paths
    - d/p/lp2066258/0018-libnetplan-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units (LP: #2066258)
  * debian/netplan.io.postinst: Add a postinst maintainer script to call the
    generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

-- Sudhakar Verma <email address hidden> Mon, 24 Jun 2024 22:03:31 +0530

Changed in netplan.io (Ubuntu Focal):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-06-26:

This bug was fixed in the package netplan.io - 0.106.1-7ubuntu0.22.04.3

---------------
netplan.io (0.106.1-7ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0028-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0029-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files
    - d/p/lp2066258/0030-backends-escape-file-paths.patch:
      Escape special characters in file paths
    - d/p/lp2066258/0031-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units (LP: #2066258)
  * debian/netplan.io.postinst: Add a postinst maintainer script to call the
    generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

-- Sudhakar Verma <email address hidden> Mon, 24 Jun 2024 23:20:42 +0530

Changed in netplan.io (Ubuntu Jammy):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-06-26:

This bug was fixed in the package netplan.io - 0.107-5ubuntu0.3

---------------
netplan.io (0.107-5ubuntu0.3) mantic-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0012-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2065738/0013-cli-generate-call-daemon-reload-after-generate.patch:
      Call systemd daemon-reload as part of the netplan generate cli command
    - d/p/lp2066258/0014-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files.
    - d/p/lp2066258/0015-backends-escape-file-paths.patch:
      Escape special characters in file paths.
    - d/p/lp2066258/0016-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units. (LP: #2066258)
  * debian/netplan-generator.postinst: Add a postinst maintainer script to call
    the generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

-- Sudhakar Verma <email address hidden> Mon, 24 Jun 2024 23:58:40 +0530

Changed in netplan.io (Ubuntu Mantic):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #2065738

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.