Config management and automation vendor CFEngine has warned users of a “severe security issue” in its Enterprise product and issued workarounds and patches.
Explaining the flaw, the company said “CFEngine is using some internal secrets for authentication to the Mission Portal API and the PostgreSQL database when running background maintenance tasks.” These internal secrets are randomly generated during the installation process and stored in files only the root user can access.
However, the firm continued, its engineers recently discovered the commands that generate and store the secrets were being “logged to the /var/log/CFEngineHub-Install.log installation log.”
This was “world-readable and thus accessible for any user logged in to the system (on the hub machine)”. CFEngine said the flaw only affects the hub hosts, and agent hosts don’t generate and use such internal secrets.
The upshot was that “the internal CFE_ROBOT Mission Portal user has the admin role” and “logging in to Mission Portal or authenticating to the API as this user” would allow an attacker to carry a range of very bad things.
These include changing any configurable option in the Mission Portal, as well as adding, modifying or deleting user accounts, or changing the version control system configuration “to distribute [the] policy of their choice to all hosts bootstrapped to an affected hub (including the hub itself).”
Any user logged in to an affected hub’s operating system can read the authentication secrets from the /var/log/CFEngineHub-Install.log log file.
The solution is to rotate (regenerate) the secrets, said CFEngine – remembering to avoid logging the new secrets into some equally exposed space. The company’s engineers have provided two options to rotate the secrets – a shell script and a policy – as well as patches. All are available here.