Dear opsi-users,
we want to inform you that we will release a security-related update on 17.01.2017 at around 15:00 CET.
Further information will be made available at that time.
With kind regards
Niko Wenselowski
Security Release: 17.01.2017, 15:00 CET
- n.wenselowski
- Ex-uib-Team
- Beiträge: 3194
- Registriert: 04 Apr 2013, 12:15
Security Release: 17.01.2017, 15:00 CET
Code: Alles auswählen
import OPSI
- n.wenselowski
- Ex-uib-Team
- Beiträge: 3194
- Registriert: 04 Apr 2013, 12:15
Re: Security Release: 17.01.2017, 15:00 CET
Dear opsi users,
we have been made aware of a Privilege Escalation in opsi by Simon Bieber, penetration tester at secuvera GmbH, Germany.
Problem
If an attacker gains administrative rights on an opsi client it is possible to gain access to the credentials of a client.
This credentials grant access to the webinterface of the corresponding opsi-server.
Through the use of hostControl- or hostControlSafe-methods an attacker can gain access to other opsi clients and may execute arbitrary commands on these machines.
Our further investigations revealed additional malicious possibilities.
All server instances that use a python-opsi version lower than 4.0.7.28-4 and use the default acl configuration are affected.
Users with a custom acl configuration may be affected.
We also investigated a possible problem with IP verification in opsiconfd and found that the verification may allow access where it is expected to be prohibited.
Server instances that use a opsiconfd version lower than 4.0.7.4.1-1 using an active "verify ip" setting are affected.
Solution
The problem of a too liberal ACL configuration can be avoided by restricting the access for opsi clients through the ACL configuration.
Before applying any change to your configuration create a backup of your current /etc/opsi/backendManager/acl.conf!
To resolve the problem we strongly recommend to put the following into your /etc/opsi/backendManager/acl.conf above the line starting with backend_.*:
For a custom acl.conf we recommend putting this lines above all other statements.
In an multi-depot environment this patch should be applied to every depot.
We released python-opsi 4.0.7.28-5 which features an updated acl.conf.default with the proposed change. The packages will become available shortly at the opsi repositories.
In addition to that we prepared an even stricter ACL configuration.
Please note that this may cause problems with custom tools that access the webservice API.
If access to a method is denied a string like Access to method 'methodname' denied for user is logged - where methodname is the name of the method that is being called.
The complete file can be found at http://download.uib.de/opsi4.0/misc/acl/acl.conf-strict
If you use either the local-image or the WAN extension we recommend to use the following configuration that adds some required exceptions: http://download.uib.de/opsi4.0/misc/acl ... ocal-image
If for any reason you want to revert to the old acl.conf.default you can find it at https://github.com/opsi-org/python-opsi ... nf.default
This is not recommended!
To fix the problem with IP verification we released opsiconfd 4.0.7.4.1-1 that contains updated modules. The packages will become available shortly at the opsi repositories.
Expected Downtime
The change to the ACL configuration file takes effekt immediately for new sessions and no restart of opsiconfd is required.
However we recommend restarting opsiconfd as soon as possible to avoid misuse of already opened sessions.
To make opsiconfd use the updated module a restart of opsiconfd is required.
You can restart opsiconfd with the following command:
In a multi-depot environment we recommend to restart the service on all depots as soon as possible.
References
we have been made aware of a Privilege Escalation in opsi by Simon Bieber, penetration tester at secuvera GmbH, Germany.
Problem
If an attacker gains administrative rights on an opsi client it is possible to gain access to the credentials of a client.
This credentials grant access to the webinterface of the corresponding opsi-server.
Through the use of hostControl- or hostControlSafe-methods an attacker can gain access to other opsi clients and may execute arbitrary commands on these machines.
Our further investigations revealed additional malicious possibilities.
All server instances that use a python-opsi version lower than 4.0.7.28-4 and use the default acl configuration are affected.
Users with a custom acl configuration may be affected.
We also investigated a possible problem with IP verification in opsiconfd and found that the verification may allow access where it is expected to be prohibited.
Server instances that use a opsiconfd version lower than 4.0.7.4.1-1 using an active "verify ip" setting are affected.
Solution
The problem of a too liberal ACL configuration can be avoided by restricting the access for opsi clients through the ACL configuration.
Before applying any change to your configuration create a backup of your current /etc/opsi/backendManager/acl.conf!
To resolve the problem we strongly recommend to put the following into your /etc/opsi/backendManager/acl.conf above the line starting with backend_.*:
Code: Alles auswählen
backend_deleteBase : sys_group(opsiadmin)
hostControl.* : sys_group(opsiadmin); opsi_depotserver
In an multi-depot environment this patch should be applied to every depot.
We released python-opsi 4.0.7.28-5 which features an updated acl.conf.default with the proposed change. The packages will become available shortly at the opsi repositories.
In addition to that we prepared an even stricter ACL configuration.
Please note that this may cause problems with custom tools that access the webservice API.
If access to a method is denied a string like Access to method 'methodname' denied for user is logged - where methodname is the name of the method that is being called.
The complete file can be found at http://download.uib.de/opsi4.0/misc/acl/acl.conf-strict
If you use either the local-image or the WAN extension we recommend to use the following configuration that adds some required exceptions: http://download.uib.de/opsi4.0/misc/acl ... ocal-image
If for any reason you want to revert to the old acl.conf.default you can find it at https://github.com/opsi-org/python-opsi ... nf.default
This is not recommended!
To fix the problem with IP verification we released opsiconfd 4.0.7.4.1-1 that contains updated modules. The packages will become available shortly at the opsi repositories.
Expected Downtime
The change to the ACL configuration file takes effekt immediately for new sessions and no restart of opsiconfd is required.
However we recommend restarting opsiconfd as soon as possible to avoid misuse of already opened sessions.
To make opsiconfd use the updated module a restart of opsiconfd is required.
You can restart opsiconfd with the following command:
Code: Alles auswählen
service opsiconfd restart
References
- secuvera security advisory 2017-01 - https://www.secuvera.de/advisories/secu ... 017-01.txt (will be released after sufficient time to install the patched version, at the latest on 2017-01-30)
Code: Alles auswählen
import OPSI