[chef] Notes on client side heartbleed vulnerabilities


Chronological Thread 
  • From: Lamont Granquist < >
  • To:
  • Subject: [chef] Notes on client side heartbleed vulnerabilities
  • Date: Sun, 13 Apr 2014 11:08:25 -0700


I just stumbed across this repo with tests for client-side heartbleed vulnerabilities:

https://github.com/Lekensteyn/pacemaker

I validated that remote_file to an SSL url is exploitable using omnibus chef-client 11.10.4 on ubuntu-13.10 (and it should not matter what distro you use since omnibus uses a consistent openssl verison). The current 11.12.2 release is not exploitable with that script. I also validated that Chef::REST connections are similarly exploitable in 11.10.4 and not in 11.12.2. It looks like this code is also a proof of concept that on the client side you can MITM the connection and attack the client before cert validation, so `ssl_verify_mode :verify_peer` in client.rb does not mitigate the attack.

Obviously, though, you have to use SSL for the attack to succeed so remote_file requests to http:// urls are not vulnerable, and you can use non-SSL connections for your chef_server_url, although that probably opens you up to worse vulnerabilities for attackers with the same level of access they'd need in order to exploit client-side heartbleed.

The remote_file side of the exploit is probably worse, since that could be servers on the internet outside of your domain of control. The chef_server would require MITM'ing your TCP connection to your chef server which is a level of network access that would cause the security at most sites to crumble in much easier ways.

Interestingly, the commit that introduced heartbleed to our omnibus codebase was mine:

https://github.com/opscode/omnibus-software/commit/4f3f65d1e184bf780d471c17b9e070a6ce3ac7cf

Which was on Fri Dec 28 11:03:28 2012

It looks like omnibus Chef 11.0.0 was shipped with vulnerable openssl, and 10.16.4 was the first 10.x omnibus chef-client which shipped with it (of course if you're running pre-10.16.4 chef then you've still got vulnerable libyaml and numerous other ruby security bugs from the past 18 months or so to worry about...)

I'm not sure about which OSS/EC chef-server versions would have been vulnerable, but since the omnibus-software codebase is shared, anything released in 2013 (after my commit) would be vulnerable.

Hopefully none of this is shocking news to anyone following the impact of this bug. Advice to upgrade your chef-client, chef-server and regen all your key material is unchanged:

http://www.getchef.com/blog/2014/04/10/update-on-heartbleed-and-chef-keys/



  • [chef] Notes on client side heartbleed vulnerabilities, Lamont Granquist, 04/13/2014

Archive powered by MHonArc 2.6.16.

§