Page MenuHomePhabricator
Create Task
Maniphest T361328

Password to keystore of java certificates needs changing
Open, LowPublicSecurity
Actions

Description

While I was investigating an issue in beta cluster (T360595#9672032) I checked config of a kafka broker in production (kafka-logging1004.eqiad.wmnet) and it had this config:

ssl.truststore.location=/etc/ssl/localcerts/wmf-java-cacerts
ssl.truststore.password=changeit

which worried me as password of stuff in production shouldn't be "changeme". I wanted to check where this is coming from and it seems that it's actually coming from sslcert::trusted_ca (and the variable has not been overwritten in private repo except for the presto hosts, hadoop and analytics tests hosts). That puppet module adds these files to every production host that has java included (600 hosts: https://debmonitor.wikimedia.org/packages/ca-certificates-java) .

For example, I logged in to logstash1036.eqiad.wmnet and ran this:

keytool -v -list -keystore /etc/ssl/certs/java/cacerts

and used the aforementioned password and it worked. The problem is not the ability to see content of the truststore (also not to be confused with keystore), it is that anyone with that password and access to the host can add a trusted CA to the list via keytool (I'm pretty basic at java, maybe I'm missing something obvious but I didn't want to test adding a problematic CA in production.) That means any java application running, will automatically accept attacker's CA and all certificates issued by it as valid

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept

Related Objects

Event Timeline

Ladsgroup created this task.Mar 29 2024, 1:47 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 29 2024, 1:47 AM
colewhite added subscribers: elukey, colewhite.Mar 29 2024, 2:21 AM

CC @elukey

elukey added a comment.Mar 29 2024, 10:26 AM

Hi folks! IIRC the permission of the file (rw only by root) should be enough to avoid injection of new CA certificates, but I'll double check and report back.

elukey added a comment.EditedMar 29 2024, 10:39 AM

I did the following on logstash1036:

  • copied cacerts to my home dir
  • ensured permissions (root:root, rw-r--r--)
  • executed command to delete one of the certs
elukey@logstash1036:~$ ls -l /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 169784 Feb  5 11:08 /etc/ssl/certs/java/cacerts


elukey@logstash1036:~$ ls -l cacerts 
-rw-r--r-- 1 root root 168951 Mar 29 10:34 cacerts

elukey@logstash1036:~$ keytool -delete --alias wmf:puppetca.pem --noprompt --storepass changeit  -keystore cacerts 
keytool error: java.io.FileNotFoundException: cacerts (Permission denied)

The file permissions ensure that even if somebody has the password they are not able to alter the content of the truststore. I know it is not ideal, but it is a compromise to avoid having passwords for cabundles (we also have the same issue with non truststore/java bundles, we rely IIUC on file permissions to avoid local exploits).

Lemme know if this is still a concern or not, very open to any suggestion :)

elukey added a comment.Mar 29 2024, 10:43 AM

The perms are the same for the wmf cacert bundle:

elukey@kafka-logging1004:~$ ls -l /etc/ssl/localcerts/wmf-java-cacerts
-rw-r--r-- 1 root root 3706 Nov 22 10:10 /etc/ssl/localcerts/wmf-java-cacerts
Ladsgroup added a comment.Mar 29 2024, 10:58 PM

It's great that it's not a big deal, it scared me for good. Wonder how much work it is to change the password to avoid further scares in the future.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Apr 2 2024, 5:44 PM
sbassett subscribed.

@elukey @Ladsgroup - Sounds like we can make this public now?

elukey added a comment.Apr 3 2024, 12:51 PM
In T361328#9674202, @Ladsgroup wrote:

It's great that it's not a big deal, it scared me for good. Wonder how much work it is to change the password to avoid further scares in the future.

I'd be in favor not to change anything for the moment, IIRC we added the password since some Java-based daemons want it (as in, they don't contemplate a passwordless truststore, that in my opinion is a totally legitimate use case). Since we already rely only on file permissions for system-wide ca-bundles, I think it should be safe to skip the rollout of a new password to several clusters etc.. my 2c, lemme know your thoughts :)

In T361328#9681730, @sbassett wrote:

@elukey @Ladsgroup - Sounds like we can make this public now?

+1 from my side

sbassett triaged this task as Low priority.Apr 3 2024, 6:56 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL