[rudder-users] Rudder vulnerabilities - Fixed in 7.2.10 and 7.3.5

Alexis Mousset alexis.mousset at rudder.io
Wed Sep 6 11:28:17 CEST 2023 

Dear community,

We have found several security vulnerabilities affecting Rudder:

A privilege escalation vulnerability for Rudder users: a valid user with limited permissions (e.g. read-only) can get administrator privilege due to misconfigured ACLs in some internal APIs. These APIs then allow gaining administrator access on the whole Rudder instance. API accounts are not affected as the issue is only exploitable through Web sessions. The affected APIs are:
  * Shared files API: /secure/api/sharedfile/* and /secure/api/resourceExplorer/* , which allows creating or modifying arbitrary files on the system
  * API token management: /secure/api/apiaccounts/, which allows creating privileged API tokens or stealing existing ones, causing the privilege escalation
  * Event logs: /secure/api/eventlog/
  * Completion: /secure/api/completion/*
=> Advisory: https://github.com/Normation/rudder/security/advisories/GHSA-xr7v-8q96-9j64

A directory traversal vulnerability in the internal API used for technique resources management. It allows modifying arbitrary files on the system, but requires a valid user account (no specific permissions are required due to the first issue). API accounts are not affected as the issue is only exploitable through Web sessions.
=> Advisory: https://github.com/Normation/rudder/security/advisories/GHSA-9m9h-57wc-7cp5

Clear-text API tokens can get written into web application and apache httpd log files, especially when modifying an API account in the administration interface. This can be a risk if these files are forwarded to a remote system.
=> Advisory: https://github.com/Normation/rudder/security/advisories/GHSA-35xg-w54w-757j

A very limited path traversal in relay's shared folder API allows testing for the existence of file readable by non privileged users.
=> Advisory: https://github.com/Normation/rudder/security/advisories/GHSA-jjfq-p8xw-53g2

These issues are fixed in 7.2.10, 7.3.5 which have been released on August 8th, and in upcoming 8.0.0. You are encouraged to upgrade your Rudder servers and regenerate API tokens if they were exposed. Agents and relays are not affected. We are also working on additional improvements in API authentication for Rudder 8.0 to prevent such issues in the future.

If you have questions regarding the vulnerabilities or the upgrade 
process, please contact us on the users mailing-list or our chat room:

     https://chat.rudder.io

-- 
Alexis Mousset
Rudder

More information about the rudder-users mailing list