Description
The CFEngine engineering team has recently discovered a severe security
issue in the CFEngine Enterprise product. CFEngine is using some
internal secrets for authentication to the Mission Portal API and the
PostgreSQL database when running background maintenance tasks. These
internal secrets are randomly generated during the installation process
and stored in files which only the root user has access to.
Unfortunately, the commands that generate and store the secrets were
being logged to the /var/log/CFEngineHub-Install.log installation log
which was world-readable and thus accessible for any user logged in to
the system (on the hub machine). Please note that this only affects the
hub hosts, agent hosts don’t generate and use such internal secrets.
Detection
To find out if a system is affected, check the permissions of the
/var/log/CFEngineHub-Install.log file and check if the secrets are
there. This is an easy way to perform such check:
$ ll -d /var/log/CFEngineHub-Install.log
-rw-r--r--. 1 root root 36410 May 23 11:27 /var/log/CFEngineHub-Install.log
$ grep -P '(SECRET|PW)' /var/log/CFEngineHub-Install.log
+ '[' -f /var/cfengine/CF_CLIENT_SECRET_KEY.tmp ']'
+ sed -i s/CFE_CLIENT_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/GUI/application/config/appsettings.php
+ sed -i s/CFE_CLIENT_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/db/ootb_settings.sql
+ sed -i s/LDAP_API_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/GUI/application/config/appsettings.php
+ sed -i s/LDAP_API_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/GUI/ldap/config/settings.php
+ sed -i '/LDAP_API_SECRET_KEY/s/'\'''\''/'\''wBosnkNR247KLVJpIvJYXSAp8zJv1259'\''/' /var/cfengine/share/GUI/api/config/config.php
+ CFE_ROBOT_PWD=eFKzEV7yr5Xv0FiYRwLZxIJA7DLT6OXS
+ rm -f /var/cfengine/CF_CLIENT_SECRET_KEY.tmpThe above results are from an affected host, the log file is
world-readable (the third r in the permissions) and it contains the
secrets.
Impact
The internal CFE_ROBOT Mission Portal user has the admin role.
Logging in to Mission Portal or authenticating to the API as this user
would allow the attacker to change any configurable option in Mission
Portal, add, modify or delete user accounts or even change the version
control system configuration to distribute policy of their choice to all
hosts bootstrapped to an affected hub (including the hub itself). Any
user logged in to an affected hub’s operating system can read the
authentication secrets from the /var/log/CFEngineHub-Install.log log
file.
Mitigation
In order to mitigate the issue, the secrets need to be rotated (regenerated). Care must be taken to avoid logging the new secrets in some place accessible to non-root users. The CFEngine team provides two options to rotate the secrets:
- a shell
script
(checksum,
63b7da16850858944afd80bf7dfc04edfb8267dc9607809e80ca90c2edb44c89) and - a
policy
(checksum,
ac6e5bfcc309d7c2f029d48ccc6b81f7757833db94b1186bb99306190287915e).
Administrators of affected systems are advised to download and run the shell script or the policy, or to manually execute the steps based on the contents of the shell script. The CFEngine team has also patched the installation scripts to:
- set the correct permissions for the
/var/log/CFEngineHub-Install.loginstallation log file, - avoid leaking internal authentication secrets into the log file and to
- rotate the internal authentication secrets when upgrading CFEngine.
These patches are included in both of the recent LTS releases - 3.10.6 and 3.12.2
- and will also be included in the upcoming non-LTS 3.14.0 release. In
the 3.14.0 release the
CFE_ROBOTuser will no longer have the admin role, but a more restricted access. This issue has been registered as CVE-2019-9929 in the official public CVE registry. We have been in contact with and provided a solution to all our customers in advance of publishing this. In case of any questions, feel free to contact us.
