CVE-2021-38379 & CVE-2021-36756 - Exported report permissions and certificate checking in Federated Reporting

The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product:

• CVE-2021-38379 - Publicly available exported reports
• CVE-2021-36756 - Certificate not checked in Federated Reporting

While the latter one (CVE-2021-36756) only affects CFEngine Enterprise deployments using the Federated Reporting functionality, the former one (CVE-2021-38379) affects all deployments running all supported versions of CFEngine Enterprise (and many unsupported versions, 3.5 or newer, to be more precise). Both issues were discovered internally during development and testing and we have no indications of these vulnerabilities being exploited or known of outside of the development team.

CVE-2021-38379 - Publicly available exported reports

Description

CFEngine Enterprise uses the tmp directory in the HTML document root (for example https://hub.example.com/tmp/) for temporary files that need to be accessed by users of Mission Portal, the CFEngine Enterprise web user interface. This directory needs to be publicly accessible because it includes files that are needed for the basic functionality. Unfortunately, this directory has also been used for files with exported reports, for example https://hub.example.com/tmp/CFEngine_Enterprise_advancedreports-09-15-2021-abcdef.pdf. An attacker can try making requests to the hub machine with the URLs in the above easily predictable format and get access to reports generated by users using Mission Portal.

Detection

All deployments running CFEngine Enterprise version 3.5 and newer are affected.

Impact

An attacker with network access to the hub machine (port 443) can obtain reports generated by users in Mission Portal with potentially sensitive data.

Mitigation

Because the mechanisms for making the exported reports available for users are part of the CFEngine Enterprise binaries, the only possible mitigation for this CVE is to upgrade the hub installations to one of the newest supported releases of CFEngine Enterprise - version 3.15.4-2 or 3.18.0-2. Client machines are not affected by this CVE as they don't run the Mission Portal web user interface.

The newest supported releases of CFEngine Enterprise use a separate directory for exported reports which is not publicly accessible and the names of the files with the exported reports are practically impossible to predict so even logged in users cannot get access to other users' exported reports.

This issue has been registered as CVE-2021-38379 in the official public CVE registry.

CVE-2021-36756 - Certificate not checked in Federated Reporting

Description

CFEngine Enterprise deployments using the Federated Reporting feature to collect reports from multiple hubs (called feeders) to one aggregating hub (called superhub) don't properly check the TLS certificates of feeder hubs when connecting them to the superhub. An attacker can use IP spoofing, DNS spoofing or other common techniques to direct the traffic from the superhub to their own machine instead of the real feeder hub and get it connected to the superhub. The superhub-feeder connection process exchanges secrets that are then used to ensure integrity and authenticity of the data sent by the feeder. So the attacker can feed the superhub fake data or, even worse, harmful data that can damage the superhub database. Feeder hubs and their data are not affected by this vulnerability.

Detection

All CFEngine Enterprise deployments using the Federated Reporting feature are affected by this vulnerability.

Mitigation

The only possible mitigation of this vulnerability is re-installation of all superhubs and re-connection of all the feeder hubs. The newest supported releases of CFEngine Enterprise - version 3.15.4-2 and 3.18.0-2 - ensure that the TLS certificates of feeder hubs are verified, either automatically if they are using standard certificates with certificate chains signed by trusted certification authorities, or manually by the admin user if they use self-signed certificates. Fortunately, the superhubs usually don't serve policy (except to themselves) and the only exclusive data they have is their own reporting data and its history. The configuration, saved queries, dashboards etc. can be preserved using the Import & Export API.

To re-install all superhubs and re-connect all feeder hubs, please follow the instructions for a superhub upgrade provided as part of the online CFEngine Enterprise documentation. Please notice that all the feeder hubs need to be disabled (reverted to normal hubs) before they can be re-connected to superhubs.

This issue has been registered as CVE-2021-36756 in the official public CVE registry.

Packages for the newest releases of CFEngine Enterprise

The previously released 3.18.0 and 3.15.4 hub packages are affected by these vulnerabilities and have been replaced by new packages. Only the vulnerabilities were fixed in these re-releases. The new packages have a -2 in the filename and new checksums. They are now available in the Downloads section of the website, cf-remote, etc. For completeness, the links to the new packages and their checksums are provided below:

3.18.0-2 packages

3.15.4-2 packages

In case of any questions, feel free to contact us.