We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team.
Explanation
The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried.
Within SQL queries (in PostgreSQL) you can use functions like pg_read_binary_file to access files on the file system.
This issue is limited to scheduled reports, due to the different context where those queries are run.
Impact
Using scheduled reports and PostgreSQL functions like pg_read_binary_file, Mission Portal users can read files they should not have access to, such as database contents from /var/cfengine/state/pg/data/, logs and other files which the cfpostgres system user has access to.
It should be noted that the user needs access to scheduled reports and this is not enabled by default when creating new users.
The concern is around non-admin users which have been granted permission to use scheduled reports through the RBAC settings.
The database files could allow someone to restore the database, and among other things, get access to:
- Information about hosts they should not see due to RBAC filtering.
- The LDAP username and password used in settings to set up LDAP authentication (if this feature is used).
- Usernames and password hashes for all (non LDAP) Mission Portal users.
Remediation
We recommend installing one of the new versions of the CFEngine hub packages listed on our download pages, as well as rotating users’ passwords and CFEngine secrets. The newly released CFEngine 3.18.4 and 3.21.1 versions contain only fixes for the mentioned issue, and thus should be non-problematic to install on top of CFEngine 3.18.3 or 3.21.1. If you have LDAP configured, please also rotate the LDAP user password you have in the Authentication settings. For your information, we do not store Mission Portal users’ raw passwords, they are hashed.
Note that since this issue only affects the CFEngine Enterprise hub, installing the hub package is enough to remediate the issue. Pay attention to the upgrade instructions, especially if you are upgrading from a version older than 3.18.3, as you should first upgrade your policy set.
Workaround / hotfix
In the case where updating hub packages is not possible, you can use this hotfix. The hotfix restricts access to the affected files and rotates secrets.
https://cfengine.com/blog/2023/hotfix-CVE-2023-26560-v1.0.0.cf
However, we would like to make you aware that after applying the hotfix, the root database user will no longer be able to make schema changes to the database.
This is because the hotfix removes the superuser role from it.
But you can still manage the database under the cfpostgres user.
