2023-02-14 20:13:47 |
Andreas Hasenack |
bug |
|
|
added bug |
2023-02-14 20:14:14 |
Andreas Hasenack |
summary |
Disable the RESTful interface on 127.0.0.1:8000 |
Unrestricted default RESTful interface on 127.0.0.1:8000 |
|
2023-02-15 15:23:39 |
Athos Ribeiro |
isc-kea (Ubuntu): status |
New |
Triaged |
|
2023-02-15 15:23:50 |
Athos Ribeiro |
bug |
|
|
added subscriber Ubuntu Server |
2023-03-01 20:33:00 |
Andreas Hasenack |
isc-kea (Ubuntu): importance |
Undecided |
High |
|
2023-03-01 20:33:04 |
Andreas Hasenack |
tags |
|
server-todo |
|
2023-03-01 20:33:13 |
Andreas Hasenack |
bug |
|
|
added subscriber Canonical Server |
2023-03-08 16:16:30 |
Christian Ehrhardt |
isc-kea (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2023-03-14 18:32:54 |
Andreas Hasenack |
isc-kea (Ubuntu): status |
Triaged |
In Progress |
|
2023-03-21 22:28:10 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352 |
|
2023-03-22 13:50:26 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352 |
|
|
2023-03-22 16:13:28 |
Andreas Hasenack |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352 |
|
2023-03-24 16:16:04 |
Andreas Hasenack |
bug task added |
|
ubuntu-release-notes |
|
2023-03-27 18:02:09 |
Andreas Hasenack |
summary |
Unrestricted default RESTful interface on 127.0.0.1:8000 |
FFe: Unrestricted default RESTful interface on 127.0.0.1:8000 |
|
2023-03-27 18:10:23 |
Andreas Hasenack |
description |
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-27 18:12:53 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-27 18:19:26 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades, of this package, or the "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-27 18:20:48 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades, of this package, or the "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades, of this package, or the "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-27 18:21:24 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Release Team |
2023-03-27 18:25:43 |
Andreas Hasenack |
attachment added |
|
kea-ctrl-agent-choices.png https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2007312/+attachment/5657984/+files/kea-ctrl-agent-choices.png |
|
2023-03-27 18:26:04 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades, of this package, or the "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades, of this package, or the "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-27 18:37:39 |
Andreas Hasenack |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033367 |
|
2023-03-27 18:37:39 |
Andreas Hasenack |
bug task added |
|
isc-kea (Debian) |
|
2023-03-29 11:58:16 |
Bug Watch Updater |
isc-kea (Debian): status |
Unknown |
New |
|
2023-03-29 12:24:33 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades, of this package, or the "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades from previous versions (before $now), of this package with a "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon, because no password will be set by default.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-30 12:49:48 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades from previous versions (before $now), of this package with a "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon, because no password will be set by default.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa16 (amd64 and arm64):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230327_174328_8c4ee@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/arm64/i/isc-kea/20230327_174320_7693a@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades from previous versions (before $now), of this package with a "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon, because no password will be set by default.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa18 (amd64 only):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230329_221328_f9adf@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-30 12:50:06 |
Andreas Hasenack |
description |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades from previous versions (before $now), of this package with a "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon, because no password will be set by default.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa18 (amd64 only):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230329_221328_f9adf@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
This is a feature freeze exception request to address the security vulnerability described below in [Original Description] in the kea-ctrl-agent daemon, shipped in the bin:kea-ctrl-agent package.
Upstream was contacted: https://lists.isc.org/pipermail/kea-dev/2023-March/001001.html. Advice was to not start or not install kea-ctrl-agent.
The way this was addressed is via:
- a "high" debconf prompt giving 3 options (see below)
- a restriction on starting the kea-ctrl-agent daemon only if the /etc/kea/kea-api-password file exists and has content
- default kea-ctrl-agent config file is patched to include an "authentication" section, which hardcodes a "kea-api" username, and a password to be read from the /etc/kea/kea-api-password file.
Users who changed any of the following in the kea-ctrl-agent config file prior to this change will get a dpkg conf prompt unfortunately:
- listen address (default: 127.0.0.1)
- listen port (8000)
- path to control sockets of the other kea daemons (*)
- added/changed hooks libraries
- logging configuration (destination, method, rotation parameters, etc) (*)
(*) These were changed already in prior uploads of this package to lunar.
###
Unattended fresh installs, or upgrades from previous versions (before $now), of this package with a "next/next/next/finish" type of installation, will end up with a non-running kea-ctrl-agent daemon, because no password will be set by default.
###
Upon fresh install, or upgrade from a pre-debconf version of this package, the user will get (subject to debconf prio levels) a "high" prio debconf prompt (screenshot attached) explaining the change and asking to pick one of 3 options:
- unconfigured: do nothing. If the /etc/kea/kea-api-password file isn't in place, the service won't start (but won't fail either). This is the default for unattended installs.
- configured with random password: we generate a random password and put that in place. Service starts.
- configured with user-provided password: we ask for a password and use that. Empty passwords are not allowed. Service starts.
This should:
- fresh install: get a debconf high prio prompt with the 3 choices.
- upgrade from version-before-debconf: same as fresh install, you get the 3 choices
- if user runs dpkg-reconfigure, they get the 3 choices
- upgrade from version that has these debconf questions in place already: nothing gets asked
- if the user has apt listchanges installed, the NEWS file will be shown stating these change
Together with this change we are also adding a DEP8 test to exercise the debconf prompts and behavior.
Diff: https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
PPA build: https://launchpad.net/~ahasenack/+archive/ubuntu/isc-kea-debconf/+packages
DEP8 run for ppa18 (amd64 only):
https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-isc-kea-debconf/lunar/amd64/i/isc-kea/20230329_221328_f9adf@/log.gz
[Original Description]
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent) that by default listens on 127.0.0.1:8000. It responds to commands like "shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication. Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type: application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }' http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "", "calculate-tee-times": false, "config-control": { "config-databases": [ { "name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose, with a random password. The documentation[3], in the end of section 7.2, lists a mechanism to include username and password from an external file, so we don't have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems that have this unprotected open port.
1. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2. https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration |
|
2023-03-31 17:53:47 |
Andreas Hasenack |
ubuntu-release-notes: status |
New |
Fix Released |
|
2023-04-01 05:40:34 |
Launchpad Janitor |
isc-kea (Ubuntu): status |
In Progress |
Fix Released |
|
2023-06-22 12:12:04 |
kevin zhang |
bug |
|
|
added subscriber kevin zhang |
2023-07-20 00:28:52 |
Bug Watch Updater |
isc-kea (Debian): status |
New |
Fix Released |
|