wireguard: netdev file can leak private key

Bug #1987842 reported by Andreas Hasenack
38
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Netplan
Fix Released
High
Unassigned
netplan.io (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned
Oracular
Fix Released
Undecided
Unassigned

Bug Description

When using netplan with wireguard, netplan will render the /run/systemd/network/10-netplan-${name}.netdev file with 0644 permissions.

That file contains the wireguard private key, which, if specified literally (instead of using a file), will leak that key to all local users of the system. This may not be desirable.

For example, I have this yaml in /etc/netplan/home0.yaml:
network:
  version: 2
  tunnels:
    home0:
      mode: wireguard
      key: <base64 private key contents>
      port: 51000
      addresses: [10.10.11.2/24]
      peers:
        - keys:
            public: <base64 public key contents>
          endpoint: 10.48.132.39:51000
          allowed-ips: [10.10.11.0/24,10.10.10.0/24]
      routes:
        - to: 10.10.10.0/24
          from: 10.10.11.2
          scope: link

When that is rendered and applied with `netplan apply`, this error is logged in /var/log/syslog:
Aug 26 14:23:30 laptop-coffee-shop systemd-networkd[537]: /run/systemd/network/10-netplan-home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.

And indeed, that file contains the same literal private key, as expected:

# cat /run/systemd/network/10-netplan-home0.netdev
[NetDev]
Name=home0
Kind=wireguard

[WireGuard]
PrivateKey=<base64 private key contents>
ListenPort=51000

[WireGuardPeer]
PublicKey=<base64 public key contents>
AllowedIPs=10.10.11.0/24,10.10.10.0/24
Endpoint=10.48.132.39:51000

Its permissions should probably be 0640 root:systemd-networkd.

This is not an issue if the private key is specified via a file, in which case systemd-networkd won't even issue that warning.

Tags: fr-2634

CVE References

Revision history for this message
Lukas Märdian (slyon) wrote :

ACK. The rendered files should not be world readable.

Changed in netplan:
status: New → Triaged
importance: Undecided → High
tags: added: fr-2634
tags: added: foundations-todo
Revision history for this message
Lukas Märdian (slyon) wrote :

see also bug #2065738

Revision history for this message
Mark Esler (eslerm) wrote :

Please refer to this issue as CVE-2022-4968.

tags: removed: foundations-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 1.0-2ubuntu1.1

---------------
netplan.io (1.0-2ubuntu1.1) noble-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0014-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0015-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files.
    - d/p/lp2066258/0016-backends-escape-file-paths.patch:
      Escape special characters in file paths.
    - d/p/lp2066258/0017-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units. (LP: #2066258)
  * debian/netplan-generator.postinst: Add a postinst maintainer script to call
    the generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

 -- Sudhakar Verma <email address hidden> Tue, 25 Jun 2024 00:13:00 +0530

Changed in netplan.io (Ubuntu Noble):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.104-0ubuntu2~20.04.5

---------------
netplan.io (0.104-0ubuntu2~20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0015-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0016-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend files
    - d/p/lp2066258/0017-libnetplan-escape-file-paths.patch:
      Escape special characters in file paths
    - d/p/lp2066258/0018-libnetplan-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units (LP: #2066258)
  * debian/netplan.io.postinst: Add a postinst maintainer script to call the
    generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

 -- Sudhakar Verma <email address hidden> Mon, 24 Jun 2024 22:03:31 +0530

Changed in netplan.io (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.106.1-7ubuntu0.22.04.3

---------------
netplan.io (0.106.1-7ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0028-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0029-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files
    - d/p/lp2066258/0030-backends-escape-file-paths.patch:
      Escape special characters in file paths
    - d/p/lp2066258/0031-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units (LP: #2066258)
  * debian/netplan.io.postinst: Add a postinst maintainer script to call the
    generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

 -- Sudhakar Verma <email address hidden> Mon, 24 Jun 2024 23:20:42 +0530

Changed in netplan.io (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.107-5ubuntu0.3

---------------
netplan.io (0.107-5ubuntu0.3) mantic-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0012-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2065738/0013-cli-generate-call-daemon-reload-after-generate.patch:
      Call systemd daemon-reload as part of the netplan generate cli command
    - d/p/lp2066258/0014-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files.
    - d/p/lp2066258/0015-backends-escape-file-paths.patch:
      Escape special characters in file paths.
    - d/p/lp2066258/0016-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units. (LP: #2066258)
  * debian/netplan-generator.postinst: Add a postinst maintainer script to call
    the generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

 -- Sudhakar Verma <email address hidden> Mon, 24 Jun 2024 23:58:40 +0530

Changed in netplan.io (Ubuntu Mantic):
status: New → Fix Released
Revision history for this message
Lukas Märdian (slyon) wrote :

fixed in 1.0.1 upstream

Changed in netplan:
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.8 KiB)

This bug was fixed in the package netplan.io - 1.0.1-1ubuntu1

---------------
netplan.io (1.0.1-1ubuntu1) oracular; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/p/0003-Revert-wait-online-disabled-wait-online-for-stable-1.patch:
      Fix wait-online via s-n-wait-online.service.d/10-netplan.
    - d/libnetplan1.symbols: Update for new (private) symbol

netplan.io (1.0.1-1) unstable; urgency=medium

  * New upstream release: 1.0.1:
    - sriov: accept setting the eswitch mode without VFs (LP: #2020409)
    - cli/sriov: refactoring
    - tests: use proper 0o600 file permissions in more places
    - doc: Adding missing 'watchfiles' dependency for Sphinx
    - doc: Minor fixes in lang. and mark-up in YAML reference
    - doc: Tutorial reorg & lang. + formatting improvements
    - networkd: add wait-online enumeration utils
    - generate: enable systemd-networkd-wait-online for non-optional interfaces
    - CLI:utils: Do not ask for daemon-reload password interactively
    - CLI:generate: call daemon-reload after (re-)generating services
    - wait-online: Do not block on loopback interface
    - generate: Do not touch wait-online, if we don't have any networkd NetDefs
    - wait-online: wait for existing interfaces only and downgrade operational
      state for interfaces without IP configuration
    - wait-online: account for DHCPv4/v6 addresses
    - wait-online: do not require virtual devices to be created already
    - wait-online: recognize that bridge/bond members will never gain
      link-local addresses
    - networkd:apply: Drop handling of legacy wpa@ instance units
    - wait-online: disabled wait-online for stable 1.0
    - test:integration: Try to improve test flakyness
    - autopkgtest: More fixes for flaky 'ethernets' test
    - Increase some test timeouts to account for slow (riscv64) buildds
    SECURITY UPDATE:
    - libnetplan: use more restrictive file permissions
      (Closes: #1072789, LP: #2065738, LP: #1987842)
    - CVE-2022-4968
    - libnetplan: escape control characters
    - backends: escape file paths
    - backends: escape semicolons in service units (LP: #2066258)
    Bug fixes:
    - cli: Fix logging setup when python-rich is not present
    - CI: fix DebCI case for no-change rebuilds
    - CI: adopt autopkgtest for 1.0-1 on 22.04
    - doc: Update README, move CODE_OF_CONDUCT
    - doc: fix en_GB spelling
    - CI: adopt snapd.patch for autopkgtest SRU (LP: #2051939)
    - parse-nm: add a workaround for the DoT DNS option (LP: #2055148)
    - CI: Install netplan-ci PPA
    - parse: don't remove datalist items during iteration
    - ATTN: parse/bonds: handle same primary in multiple bonds
    - parse/bonds: don't fail on primary reassignment
    - cli/sriov: set eswitch regardless of pcidev.vfs
    - doc: Fix wrong bonds.parameters.mode syntax in example
    - parse: fix redefinition of gateway(4|6)
    - doc:tutorial: fix whitespace formatting
    - util: fix potential NULL pointer assert
    - python: elements of __all__ must be strings
    - tests: fix diff test with iproute2 6.8
    - cli/generate: skip daemon_reload with --mapping
    - test: cleanup after wait_online tes...

Read more...

Changed in netplan.io (Ubuntu Oracular):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.