CVE-2021-38379 & CVE-2021-36756 - Exported report permissions and certificate checking in Federated Reporting

October 27, 2021

The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product:

  • CVE-2021-38379 - Publicly available exported reports
  • CVE-2021-36756 - Certificate not checked in Federated Reporting

While the latter one (CVE-2021-36756) only affects CFEngine Enterprise deployments using the Federated Reporting functionality, the former one (CVE-2021-38379) affects all deployments running all supported versions of CFEngine Enterprise (and many unsupported versions, 3.5 or newer, to be more precise). Both issues were discovered internally during development and testing and we have no indications of these vulnerabilities being exploited or known of outside of the development team.

CVE-2021-38379 - Publicly available exported reports

Description

CFEngine Enterprise uses the tmp directory in the HTML document root (for example https://hub.example.com/tmp/) for temporary files that need to be accessed by users of Mission Portal, the CFEngine Enterprise web user interface. This directory needs to be publicly accessible because it includes files that are needed for the basic functionality. Unfortunately, this directory has also been used for files with exported reports, for example https://hub.example.com/tmp/CFEngine_Enterprise_advancedreports-09-15-2021-abcdef.pdf. An attacker can try making requests to the hub machine with the URLs in the above easily predictable format and get access to reports generated by users using Mission Portal.

Detection

All deployments running CFEngine Enterprise version 3.5 and newer are affected.

Impact

An attacker with network access to the hub machine (port 443) can obtain reports generated by users in Mission Portal with potentially sensitive data.

Mitigation

Because the mechanisms for making the exported reports available for users are part of the CFEngine Enterprise binaries, the only possible mitigation for this CVE is to upgrade the hub installations to one of the newest supported releases of CFEngine Enterprise - version 3.15.4-2 or 3.18.0-2. Client machines are not affected by this CVE as they don't run the Mission Portal web user interface.

The newest supported releases of CFEngine Enterprise use a separate directory for exported reports which is not publicly accessible and the names of the files with the exported reports are practically impossible to predict so even logged in users cannot get access to other users' exported reports.

This issue has been registered as CVE-2021-38379 in the official public CVE registry.

CVE-2021-36756 - Certificate not checked in Federated Reporting

Description

CFEngine Enterprise deployments using the Federated Reporting feature to collect reports from multiple hubs (called feeders) to one aggregating hub (called superhub) don't properly check the TLS certificates of feeder hubs when connecting them to the superhub. An attacker can use IP spoofing, DNS spoofing or other common techniques to direct the traffic from the superhub to their own machine instead of the real feeder hub and get it connected to the superhub. The superhub-feeder connection process exchanges secrets that are then used to ensure integrity and authenticity of the data sent by the feeder. So the attacker can feed the superhub fake data or, even worse, harmful data that can damage the superhub database. Feeder hubs and their data are not affected by this vulnerability.

Detection

All CFEngine Enterprise deployments using the Federated Reporting feature are affected by this vulnerability.

Mitigation

The only possible mitigation of this vulnerability is re-installation of all superhubs and re-connection of all the feeder hubs. The newest supported releases of CFEngine Enterprise - version 3.15.4-2 and 3.18.0-2 - ensure that the TLS certificates of feeder hubs are verified, either automatically if they are using standard certificates with certificate chains signed by trusted certification authorities, or manually by the admin user if they use self-signed certificates. Fortunately, the superhubs usually don't serve policy (except to themselves) and the only exclusive data they have is their own reporting data and its history. The configuration, saved queries, dashboards etc. can be preserved using the Import & Export API.

To re-install all superhubs and re-connect all feeder hubs, please follow the instructions for a superhub upgrade provided as part of the online CFEngine Enterprise documentation. Please notice that all the feeder hubs need to be disabled (reverted to normal hubs) before they can be re-connected to superhubs.

This issue has been registered as CVE-2021-36756 in the official public CVE registry.

Packages for the newest releases of CFEngine Enterprise

The previously released 3.18.0 and 3.15.4 hub packages are affected by these vulnerabilities and have been replaced by new packages. Only the vulnerabilities were fixed in these re-releases. The new packages have a -2 in the filename and new checksums. They are now available in the Downloads section of the website, cf-remote, etc. For completeness, the links to the new packages and their checksums are provided below:

3.18.0-2 packages

Operating System Checksum
Debian 9 sha256=05bceb8b50085f857d4d19a2b6a566efa9cae1ecae18fbfb237d56eef9ad1599
Debian 10 sha256=a770b2cac3f09083e77f39611a8e8b6b52dd2b95d9b0419aa5aa5a933aae368b
RHEL/CentOS 6 sha256=adfb77b1bf0804abd1ff0c0e3d642b35f32f740399888d0d3b10ab1cbaf4fdce
RHEL/CentOS 7 sha256=c6cd356b2d8da807520c2ceeee5ce8ffc5f30fc035d47129bc2caa7525fbbe5f
RHEL/CentOS 8 sha256=d68a5351c7784de370a21fc4d91dfeb403e81143681b07d9fc468505192f2b3d
Ubuntu 16 sha256=dc319d1416e09f27f470d57deca0413936f00b52f81eb6f07edf22e2426db1c5
Ubuntu 18 sha256=cf803129761ef27efab452c82d4078b81c7f8827474a4138f948858df25c7f97
Ubuntu 20 sha256=101eefe4ffa69dfb3d3139dfdf805db909f41d20f13d362aa69e9ed0917516b2

3.15.4-2 packages

Operating System Checksum
Debian 8 sha256=2739b0cf23b08408305ccc93e63d4a10bf70b5c00651500f1c03d46a2fe57109
Debian 9 sha256=f85eccab440fbc818e0dbfb09462a8eb700a3e20b16aeb3b77ceb19af0b20106
Debian 10 sha256=a54a0293af1449d244742e80b0812a9f84a48b7b9d90838decdbeb1666d3d0c9
RHEL/CentOS 6 sha256=f64330a48d23f152ac45da6426664f92f920474585662d1506f4b66769cbc59d
RHEL/CentOS 7 sha256=993f36a660f63acce1da1723da0db66d62c5ad6c4a55f1c293ad50656d94f2b7
RHEL/CentOS 8 sha256=6ea8f76335d6a5950ef636f9e3d44737cfa9bc092a6dba702c5d2e4c9e779329
Ubuntu 14 sha256=e4fccfc3b7fa6f5f31ec1d91c388cf344901bbfcb110e446d326c277f6965dde
Ubuntu 16 sha256=7f9540ec066cd971e7a223fdd93d85b31be58c76325c22388389e59c06745b3c
Ubuntu 18 sha256=5817cfb9bf5048866cb8554585cc3a24183e1f0290316371429801b023184807

In case of any questions, feel free to contact us.