Package: fai-server
Version: 5.8.4
Severity: grave
Tags: security, buster
Dear Maintainer,
fai-server installs /etc/fai/apt/sources.list with the following entry
by default:
deb [trusted=yes] http://fai-project.org/download buster koeln
This is problematic, as the [trusted=yes] part will tell APT to
completely skip cryptographic verification of the repository when
creating the nfsroot. This is extremely bad because the repository is
accessed via unencrypted HTTP, which makes a man-in-the-middle attack
absolutely trivial. True, this only occurs if the NFSROOT is created
and/or updated, but at least updating with make-fai-nfsroot -k should
be a semi-regular thing on well-managed systems.
You should make sure that your APT signing key is added to the
NFSROOT so that APT may check it:
- Export your GPG signing key in binary (NOT -a!) format:
gpg --export 2BF8D9FE074BCDE4 > fai-project.gpg
- Create a directory /etc/fai/apt/trusted.gpg.d
- Copy the file to the appropriate directory
cp fai-project.gpg /etc/fai/apt/trusted.gpg.d/
- Remove the [trusted=yes] part of that line
I've tested this with a pristine FAI install on Debian 10 and during
fai-make-nfsroot the repository is correctly added to the NFSROOT and
the integrity of the signatures is properly checked.
For Debian 9 I don't think this is a critical issue (as the default
configuration does not include the repository, the line is commented
out entirely), but even suggestions in configuration files should
follow established security practices, so I would recommend also
removing the [trusted=yes] comment from the package in Debian 9 (and
also including the key there, or maybe just a comment on how to add
the key), so that inexperienced administrators may avoid the trap that
enabling this repository leads to a security issue.
Best regards,
Christian
-- System Information:
Debian Release: 10.0
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fai-server depends on:
ii debootstrap 1.0.114
ii e2fsprogs1.44.5-1
ii fai-client 5.8.4
ii xz-utils 5.2.4-1
Versions of packages fai-server recommends:
pn isc-dhcp-server
pn libproc-daemon-perl
pn nfs-kernel-server
ii openbsd-inetd [inet-superserver] 0.20160825-4
ii openssh-client1:7.9p1-10
ii openssh-server1:7.9p1-10
pn tftpd-hpa | atftpd
Versions of packages fai-server suggests:
ii binutils 2.31.1-16
pn debmirror
pn fai-setup-storage
pn grub2
pn perl-tk
ii qemu-utils 1:3.1+dfsg-8~deb10u1
pn reprepro
ii squashfs-tools 1:4.3-12
ii xorriso1.5.0-1
-- no debconf information