Text available at: https://groups.google.com/forum/#!topic/ganeti/9bLyzwmmvdg
Advisory available at: http://www.ocert.org/advisories/ocert-2015-012.html
Published 2014-08-12
Ganeti, an open source virtualisation manager, suffered from an insecure file permission vulnerability that leads to sensitive information disclosure. This issue was fixed with versions 2.10.7 and 2.11.5.
The Ganeti upgrade command ‘gnt-cluster upgrade’ creates an archive of the current configuration of the cluster (e.g. the contents of /var/lib/ganeti
). The archive is named following the pattern ganeti*.tar
and is written to /var/lib/
. Such archives were written with too lax permissions that made it possible to read them as unprivileged user, on the master node.
The configuration archive contains sensitive information, including SSL keys for the inter-node communication via RPC as well as the credentials for the remote API (RAPI). Such information can be used to control various operations of the cluster, including shutting down and removing instances and nodes from the cluster, or assuming the identity of the cluster in a MITM attack.
This vulnerability only affects Ganeti clusters meeting the following criteria:
With the fixed release, the upgrade command will set the permissions of the archives properly. However, in case previous versions have created an unsafe archive already, the following mitigations are advised:
chmod 400 /var/lib/ganeti*.tar
).gnt-cluster renew-crypto
. You may need to pass the --new-cluster-certificate
, --new-confd-hmac-key
, --new-rapi-certificate
, --new-spice-certificate
, --new-cluster-domain-secret
flags, and (for version 2.11 only) the --new-node-certificates
flag./var/lib/ganeti/rapi_users
file.This vulnerability will be published as oCert-2014-006 on ocert.org; CVE ID is pending. Thanks to Apollon Oikonomopoulos for reporting and fixing this issue.
Affected versions: 2.10.0 - 2.10.6, 2.11.0 - 2.11.4
Fixed versions: 2.10.7, 2.11.5
Filed under: CVE-2014-5247 and http://www.ocert.org/advisories/ocert-2014-006.html