Security Release: 17.01.2017, 15:00 CET

Antworten
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Security Release: 17.01.2017, 15:00 CET

Beitrag von n.wenselowski »

Dear opsi-users,

we want to inform you that we will release a security-related update on 17.01.2017 at around 15:00 CET.

Further information will be made available at that time.


With kind regards

Niko Wenselowski

Code: Alles auswählen

import OPSI
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: Security Release: 17.01.2017, 15:00 CET

Beitrag von n.wenselowski »

Dear opsi users,

we have been made aware of a Privilege Escalation in opsi by Simon Bieber, penetration tester at secuvera GmbH, Germany.

Problem

If an attacker gains administrative rights on an opsi client it is possible to gain access to the credentials of a client.
This credentials grant access to the webinterface of the corresponding opsi-server.
Through the use of hostControl- or hostControlSafe-methods an attacker can gain access to other opsi clients and may execute arbitrary commands on these machines.
Our further investigations revealed additional malicious possibilities.

All server instances that use a python-opsi version lower than 4.0.7.28-4 and use the default acl configuration are affected.
Users with a custom acl configuration may be affected.

We also investigated a possible problem with IP verification in opsiconfd and found that the verification may allow access where it is expected to be prohibited.

Server instances that use a opsiconfd version lower than 4.0.7.4.1-1 using an active "verify ip" setting are affected.

Solution

The problem of a too liberal ACL configuration can be avoided by restricting the access for opsi clients through the ACL configuration.

Before applying any change to your configuration create a backup of your current /etc/opsi/backendManager/acl.conf!

To resolve the problem we strongly recommend to put the following into your /etc/opsi/backendManager/acl.conf above the line starting with backend_.*:

Code: Alles auswählen

backend_deleteBase     : sys_group(opsiadmin)
hostControl.*          : sys_group(opsiadmin); opsi_depotserver
For a custom acl.conf we recommend putting this lines above all other statements.

In an multi-depot environment this patch should be applied to every depot.

We released python-opsi 4.0.7.28-5 which features an updated acl.conf.default with the proposed change. The packages will become available shortly at the opsi repositories.

In addition to that we prepared an even stricter ACL configuration.
Please note that this may cause problems with custom tools that access the webservice API.
If access to a method is denied a string like Access to method 'methodname' denied for user is logged - where methodname is the name of the method that is being called.

The complete file can be found at http://download.uib.de/opsi4.0/misc/acl/acl.conf-strict

If you use either the local-image or the WAN extension we recommend to use the following configuration that adds some required exceptions: http://download.uib.de/opsi4.0/misc/acl ... ocal-image

If for any reason you want to revert to the old acl.conf.default you can find it at https://github.com/opsi-org/python-opsi ... nf.default
This is not recommended!

To fix the problem with IP verification we released opsiconfd 4.0.7.4.1-1 that contains updated modules. The packages will become available shortly at the opsi repositories.

Expected Downtime

The change to the ACL configuration file takes effekt immediately for new sessions and no restart of opsiconfd is required.
However we recommend restarting opsiconfd as soon as possible to avoid misuse of already opened sessions.

To make opsiconfd use the updated module a restart of opsiconfd is required.

You can restart opsiconfd with the following command:

Code: Alles auswählen

service opsiconfd restart
In a multi-depot environment we recommend to restart the service on all depots as soon as possible.

References

Code: Alles auswählen

import OPSI
Antworten