oCERT-2014-006 Ganeti insecure archive permission

Description:

Ganeti, an open source virtualisation manager, suffers from an insecure file permission vulnerability that leads to sensitive information disclosure.

The Ganeti upgrade command 'gnt-cluster upgrade' creates an archive of the current configuration of the cluster (e.g. the contents of '/var/lib/ganeti'). The archive is named following the pattern ganet*.tar and is written to '/var/lib/'. Such archives are written with too lax permissions that make it possible to access them as unprivileged user.

The configuration archive contains sensitive information, including SSL keys for the inter-node RPC communication as well as the credentials for the remote API (RAPI). Such information can be used to control various operations of the cluster, including shutting down and removing instances and nodes from the cluster, or assuming the identity of the cluster in a MITM attack.

This vulnerability only affects Ganeti clusters meeting the following criterias:

In the fixed releases the upgrade command sets the permissions of the archives properly. However, in case previous versions have created an unsafe archive already, the following mitigations are advised:

Affected version:

Ganeti >= 2.10.0, <= 2.10.6

Ganeti >= 2.11.0, <= 2.11.4

Fixed version:

Ganeti >= 2.10.7

Ganeti >= 2.11.5

Credit: vulnerability report, PoC received from Ganeti authors Helga Velroyen <helgav AT google.com> and Guido Trotter <ultrotter AT google.com>, patch created by Apollon Oikonomopoulos.

CVE: CVE-2014-5247

Timeline:

2014-08-07: vulnerability report received
2014-08-07: disclosure coordinated on 2014-08-12
2014-08-08: contacted affected vendors
2014-08-12: advisory release
2014-08-14: assigned CVE

References:
http://git.ganeti.org/?p=ganeti.git;a=commit;h=a89f62e2db9ccf715d64d1a6322474b54d2d9ae0