chaosmonkey icon indicating copy to clipboard operation
chaosmonkey copied to clipboard

Published 20 hours ago verified publisher icon Netflix

Security Concern: Missing Server Certificate Verification with X509 Certificates in Chaos Monkey

Open nyxfqq opened this issue 7 months ago • 0 comments

Issue Description:

I've identified a security vulnerability within the Chaos Monkey project when utilizing X509 certificates for TLS connections. Specifically, the issue revolves around the lack of server certificate verification when establishing secure communication, potentially leaving the system susceptible to MITM (Man-In-The-Middle) attacks.

The problematic code resides in the getClientX509 function at github.com/Netflix/chaosmonkey/spinnaker/spinnaker.go:91. This function is designed to load X509 certificate and private key data to configure an http.Client for mutual TLS authentication. However, it inadvertently disables server certificate verification by setting InsecureSkipVerify: true within the tls.Config. Consequently, while the client is authenticated to the server, no reciprocal validation of the server’s identity occurs, violating a fundamental principle of secure communication.

Notably, this flaw is absent when using P12 certificates, where both ends of the connection seem to be appropriately verified.

Implications:

The current implementation can lead to severe security implications, particularly when executing sensitive operations like scheduling commands. The absence of server certificate validation means that the client may unknowingly communicate with rogue servers, exposing sensitive data and control flows to unauthorized parties.

Steps to Reproduce:

  1. Configure Chaos Monkey to utilize X509 certificates for Spinnaker interactions.
  2. Observe the initialization flow in github.com/Netflix/chaosmonkey/command/chaosmonkey.go, noting the execution path from loading configuration at line 208 to invoking spinnaker.NewFromConfig at line 224.
  3. Trace the logic into getClientX509, witnessing the insecure TLS configuration.

Proposed Solution:

  • Rectify the tls.Config in getClientX509 by removing InsecureSkipVerify: true to enforce server certificate verification as a default behavior.
  • Optionally, introduce a configurable flag to toggle certificate verification for scenarios requiring relaxed security measures, with a strong recommendation against its use in production environments.

Given the severity of the security risk involved, addressing this issue swiftly is imperative to uphold the robustness and trustworthiness of the Chaos Monkey tool and its deployments.

nyxfqq avatar Jun 27 '24 14:06 nyxfqq