Ubuntu
netplan.io package

Leaks wireguard keys

Bug #2065738 reported by Dave Jones
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netplan.io (Ubuntu)
Fix Released
High
Unassigned

Bug Description

My netplan configuration is mode 600 (root read-write only), as it contains a wireguard VPN configuration, including a private key. Unfortunately, while netplan renders the wireguard interface correctly, it does so with world-readable files in /run/systemd/network, leaving the wireguard private key exposed to other processes. To reproduce:

1. Generate wireguard key-pair on client: wg genkey | tee key | wg pubkey > key.pub
2. cat key

  +I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=

3. cat key.pub

  RwBIJkrps+oi3N75shwzyivUhwrvn5MagmznfibQdDU=

4. Configure netplan with wireguard client configuration (/etc/netplan/50-cloud-init.yaml):

  network:
    version: 2
    ethernets:
      eth0:
        dhcp4: true
    tunnels:
      wg0:
        mode: wireguard
        optional: true
        key: +I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=
        addresses:
          - 192.168.2.5/24
        nameservers:
          search: [waveform.org.uk]
          addresses: [192.168.2.1]
        routes:
          - to: 192.168.2.0/24
        peers:
          - allowed-ips:
            - 192.168.2.0/24
            endpoint: 1.2.3.4:41194
            keys:
              public: RwBIJkrps+oi3N75shwzyivUhwrvn5MagmznfibQdDU=

5. Run sudo netplan apply
6. Check modes of netplan configuration and the generated configuration under /run/systemd/network

  $ ls -l /etc/netplan/50-cloud-init.yaml
  -rw------- 1 root root 900 May 13 17:16 50-cloud-init.yaml
  $ ls -l /run/systemd/network/*wg0*
  -rw-r--r-- 1 root root 246 Apr 19 15:25 10-netplan-wg0.netdev
  -rw-r--r-- 1 root root 194 Apr 19 15:25 10-netplan-wg0.network

7. Check your private key in /run/systemd/network/10-netplan-wg0.netdev from an unprivileged user:

  $ sudo grep key: /etc/netplan/50-cloud-init.yaml
        key: +I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=
  $ grep PrivateKey= /run/systemd/network/10-netplan-wg0.netdev
  PrivateKey=+I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=

(the keys above are ephemeral ones I generated for the purpose of this report; they're not secret and can be exposed without harm)

Tags: fr-2634

Related branches

~danilogondolfo/netplan/+git/ubuntu:mantic_0_107_1_sru_with_security_fixes
Lukas Märdian: Approve
Ubuntu Core Development Team: Pending requested
Diff: 2060 lines (+2000/-1)
8 files modified
debian/changelog (+20/-1)
debian/netplan-generator.postinst (+15/-0)
debian/patches/lp2065738/0012-cli-generate-call-daemon-reload-after-generate.patch (+82/-0)
debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch (+435/-0)
debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch (+863/-0)
debian/patches/lp2066258/0015-backends-escape-file-paths.patch (+288/-0)
debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch (+292/-0)
debian/patches/series (+5/-0)
~danilogondolfo/netplan/+git/ubuntu:jammy_0_107_1_sru_with_security_fixes
Lukas Märdian: Approve
Ubuntu Core Development Team: Pending requested
Diff: 1961 lines (+1912/-0)
7 files modified
debian/changelog (+15/-0)
debian/netplan-generator.postinst (+15/-0)
debian/patches/lp2065738/0013-libnetplan-use-more-restrictive-file-permissions.patch (+435/-0)
debian/patches/lp2066258/0014-libnetplan-escape-control-characters.patch (+863/-0)
debian/patches/lp2066258/0015-backends-escape-file-paths.patch (+288/-0)
debian/patches/lp2066258/0016-backends-escape-semicolons-in-service-units.patch (+292/-0)
debian/patches/series (+4/-0)

CVE References

Revision history for this message
Lukas Märdian (slyon) wrote :

ACK. There's also a warning about it in the journal:

systemd-networkd[537]: /run/systemd/network/10-netplan-home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.

See FR-2634 and bug #1987842

Changed in netplan.io (Ubuntu):
status: New → Triaged
importance: Undecided → High
tags: added: fr-2634
Revision history for this message
Mark Esler (eslerm) wrote :

Please refer to this issue as CVE-2022-4968.

Marking this bug as a duplicate to https://bugs.launchpad.net/netplan/+bug/1987842

information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 1.0-2ubuntu1.1

---------------
netplan.io (1.0-2ubuntu1.1) noble-security; urgency=medium

  * SECURITY UPDATE: weak permissions on secret files, command injection
    - d/p/lp2065738/0014-libnetplan-use-more-restrictive-file-permissions.patch:
      Use more restrictive file permissions to prevent unprivileged users to
      read sensitive data from back end files (LP: #2065738, #1987842)
    - CVE-2022-4968
    - d/p/lp2066258/0015-libnetplan-escape-control-characters.patch:
      Escape control characters in the parser and double quotes in backend
      files.
    - d/p/lp2066258/0016-backends-escape-file-paths.patch:
      Escape special characters in file paths.
    - d/p/lp2066258/0017-backends-escape-semicolons-in-service-units.patch:
      Escape isolated semicolons in systemd service units. (LP: #2066258)
  * debian/netplan-generator.postinst: Add a postinst maintainer script to call
    the generator. It's needed so the file permissions fixes will be applied
    automatically, thanks to danilogondolfo

 -- Sudhakar Verma <email address hidden> Tue, 25 Jun 2024 00:13:00 +0530

Changed in netplan.io (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.