Your message dated Thu, 06 Jul 2023 19:04:44 +0000
with message-id <[email protected]>
and subject line Bug#1033367: fixed in isc-kea 2.2.0-8
has caused the Debian Bug report #1033367,
regarding kea-ctrl-agent: Unrestricted default RESTful interface on
127.0.0.1:8000
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033367
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: kea-ctrl-agent
Version: 2.2.0-5
Severity: normal
Tags: security
X-Debbugs-Cc: [email protected], [email protected], Debian
Security Team <[email protected]>
Forwarded from: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2007312
Originally reported by: Andreas Hasenack <[email protected]>
WIP fix:
https://code.launchpad.net/~ahasenack/ubuntu/+source/isc-kea/+git/isc-kea/+merge/439352
Follows copypaste of the original bug as reported by Andreas.
---
The kea-ctrl-agent package, when installed, starts a daemon (kea-ctrl-agent)
that by default listens on 127.0.0.1:8000. It responds to commands like
"shutdown", "config-get", and many others[1][2].
What's problematic is that these commands are accepted without authentication.
Anyone on the localhost system can:
a) shutdown a kea daemon:
ubuntu@j-kea:~$ pidof kea-dhcp4
2884
ubuntu@j-kea:~$ curl -X POST -H "Content-Type: application/json" -d '{
"command": "shutdown", "service": [ "dhcp4" ] }' http://localhost:8000/
[ { "result": 0, "text": "Shutting down." } ]ubuntu@j-kea:~$
ubuntu@j-kea:~$ pidof kea-dhcp4
ubuntu@j-kea:~$
b) read the config file (in this example, I made the config file 0640 root:_kea
so the ubuntu user cannot read it):
ubuntu@andreas-isc-kea-server:~$ cat /etc/kea/kea-dhcp4.conf
cat: /etc/kea/kea-dhcp4.conf: Permission denied
ubuntu@andreas-isc-kea-server:~$ curl -X POST -H "Content-Type:
application/json" -d '{ "command": "config-get", "service": [ "dhcp4" ] }'
http://localhost:8000/| grep secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4049 100 3998 100 51 134k 1751 --:--:-- --:--:-- --:--:-- 136k
[ { "arguments": { "Dhcp4": { "authoritative": false, "boot-file-name": "",
"calculate-tee-times": false, "config-control": { "config-databases": [ {
"name": "kea", "password": "keasecret", ....
The same could be done via the unix sockets, but the permissions there are not
world writable, so this is avoided:
$ ls -la /tmp/kea*socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea-ddns-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:14 /tmp/kea4-ctrl-socket
srwxr-xr-x 1 _kea _kea 0 Feb 14 19:13 /tmp/kea6-ctrl-socket
One course of action is to disable listening on 127.0.0.1:8000 via the config
file:
/etc/kea/kea-ctrl-agent.conf:
"Control-agent": {
"http-host": "127.0.0.1",
// If enabling HA and multi-threading, the 8000 port is used by the HA
// hook library http listener. When using HA hook library with
// multi-threading to function, make sure the port used by dedicated
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
"http-port": 8000,
(...)
Or maybe setup authentication with a user created in postinst for this purpose,
with a random password. The documentation[3], in the end of section 7.2, lists
a mechanism to include username and password from an external file, so we don't
have to adjust the permissions of kea-ctrl.agent.conf because of this.
Finally, there is also a question about what to do on upgrades from systems
that have this unprotected open port.
1.
https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-both-the-dhcpv4-and-dhcpv6-servers
2.
https://kea.readthedocs.io/en/kea-2.2.0/arm/ctrl-channel.html#commands-supported-by-the-d2-server
3. https://kea.readthedocs.io/en/kea-2.2.0/arm/agent.html#configuration
--- End Message ---
--- Begin Message ---
Source: isc-kea
Source-Version: 2.2.0-8
Done: Athos Ribeiro <[email protected]>
We believe that the bug you reported is fixed in the latest version of
isc-kea, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Athos Ribeiro <[email protected]> (supplier of updated isc-kea
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Jul 2023 10:40:32 -0300
Source: isc-kea
Architecture: source
Version: 2.2.0-8
Distribution: unstable
Urgency: medium
Maintainer: Kea <[email protected]>
Changed-By: Athos Ribeiro <[email protected]>
Closes: 1033367
Changes:
isc-kea (2.2.0-8) unstable; urgency=medium
.
[ Athos Ribeiro ]
* d/rules: add strict shlibs control file
.
[ Andreas Hasenack ]
* Restrict access to the default RESTful API on 127.0.0.1:8000 to
authenticated users (Closes: #1033367) (LP #2007312):
- Add debconf templates to restrict API access
- d/control: add debconf build-deps
- d/kea-ctrl-agent.postinst: handle kea-api password creation
- d/kea-ctrl-agent.config: prepare debconf questions
- d/kea-ctrl-agent.postrm: purge api password file
- d/p/0011-kea-ctrl-agent-authentication.patch
- d/t/kea-ctrl-agent.service: require a non-empty kea api password file
- d/t/control, d/t/kea-ctrl-agent-debconf: test debconf options
- d/t/smoke-tests, d/t/kea-dhcp4: support kea-ctrl-agent authentication
* d/NEWS: update with noteworthy changes
Checksums-Sha1:
b8c808d7adbcf31315ca6fc759796dcf577c2f48 2495 isc-kea_2.2.0-8.dsc
a88d21de75ec9a63179ba54bdb106e6f257246b7 43440 isc-kea_2.2.0-8.debian.tar.xz
0748769d7d99174038b69b236d5950cfbc039f44 14743 isc-kea_2.2.0-8_amd64.buildinfo
Checksums-Sha256:
f6dffbc8df6bdae5de21487a44e3b279044677908c7202174ed33d890977dbc4 2495
isc-kea_2.2.0-8.dsc
ad45c5a91a607962e98b21cf2e31c65e225ede557c908bb5efab1ef4ae9e833c 43440
isc-kea_2.2.0-8.debian.tar.xz
5b24bec6fe3e331ed87bf9988af255f8c0ac0113973daf8484f0f9a0d7da744f 14743
isc-kea_2.2.0-8_amd64.buildinfo
Files:
bf47858e5429953fa97edd7516cd9193 2495 net optional isc-kea_2.2.0-8.dsc
076e7ef2807c5ba459b1c59eba7a7479 43440 net optional
isc-kea_2.2.0-8.debian.tar.xz
097f2760832dc4d3a4d9b6ff3ee665df 14743 net optional
isc-kea_2.2.0-8_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEVhrVhe7XZpIbqN2W1lhhiD4BTbkFAmSnB6sACgkQ1lhhiD4B
TbnoCwgAltZ+LO/FcLIb00im4ko9bKJwEW+q3wdiLJSTCz86dzUL1RqM59gtOtpM
7OXIKupzdt+WBGf3PpRXJMj1yKIa9QQ5xp2obzGtEdFm5ViXQswCLtN9n4VK8PoA
N4KU23su6Jf6KnL0RtYlqhLKbZBQgtHYFQ5GYJxKGIbyQHQpsO1HQoMhpmkSbjAe
RmlEF4wrV3gmbwi+IwGy111k06wVKK/Tv/qR1Ku+jmL4WxuqcNrcTSD3hfjDi+dO
iRySpbBslhTvmSmbsMN3YboB+1tpOH6wmXvEvhP9RkmvfzXJrlw32DMj52nvXdu0
yAJVzcQ2MMtgsxzycgjMKlVUvtQjlA==
=DBc0
-----END PGP SIGNATURE-----
--- End Message ---
