Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-1783

Classes leaking from virtual environments

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.0
    • Component/s: Environment Detection
    • Labels:
      None
    • Platform:
      Debian
    • Steps to reproduce:
      Manual steps provided

      Description

      Steps to reproduce.

      Consider configuration where host has several IP addresses with different PTRs. For a complete picture we will use a server with Linux Vserver kernel as an example:

      <pre>
      root@host:~# vserver-stat
      CTX PROC VSZ RSS userTIME sysTIME UPTIME NAME
      40000 29 1.9G 135.9M 0m08s98 0m06s83 53m55s89 vm1
      40003 36 2.5G 41.3M 35m15s91 36m24s58 13d18h53 vm2
      root@host:~# ip addr
      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
      inet 192.0.2.2/32 scope global deprecated lo
      valid_lft forever preferred_lft forever
      inet 192.0.2.3/32 scope global lo
      valid_lft forever preferred_lft forever
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
      link/ether d4:ae:52:be:e5:ae brd ff:ff:ff:ff:ff:ff
      inet 198.51.100.2/24 brd 198.51.100.1 scope global eth0
      valid_lft forever preferred_lft forever
      inet 198.51.100.3/32 scope global eth0
      valid_lft forever preferred_lft forever
      root@host:~# ip addr | grep inet | awk '

      {print $2}

      ' | awk -F/ '

      {print $1}

      ' | xargs -n1 host
      1.0.0.127.in-addr.arpa domain name pointer localhost.
      2.2.0.192.in-addr.arpa domain name pointer vm1.example.org.
      3.2.0.192.in-addr.arpa domain name pointer vm2.example.org.
      2.100.51.198.in-addr.arpa domain name pointer host.example.org.
      3.100.51.198.in-addr.arpa domain name pointer serial-number-here.example.org.
      root@host:~# cf-promises --show-classes | egrep 'vm1|vm2'
      vm1_example_org inventory,attribute_name=none,source=agent,hardclass
      vm2_example_org inventory,attribute_name=none,source=agent,hardclass
      </pre>

      As you can see, there are two IP addresses assigned to loopback interface – 192.0.2.2/32 and 192.0.2.3/32 – as a part of vserver containers configurations process. Those IP addresses have PTR records, which are leaking to the hardware node due to interface addresses PTR resolution. This is an obvious anti-pattern with a possibility of security threat.

      Anti-pattern.

      IP addresses are ephemeral and can be (re-)assigned in many different and uncontrollable ways (BPG, DHCP, CARP, VRRP etc.) or during migrations, as well as PTR records themselves. This have a potential to create a total mess on the hardware node.

      Potential security threat.

      Attacker might have an opportunity to manipulate DNS responses (by means of DNS poisoning for example) to cause server role changes with undetermined effects ranging from service disruption to sensitive data leaking.

      Workaround.

      No reliable workaround unless whole hard classes system with possibly few exceptions deemed as unreliable and not used at all in configuration.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                a10038 jimis (Dimitrios Apostolou)
                Reporter:
                egor E M
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel