chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

[support-tools] Chef UI - Unencrypted Submission of Credentials

Open claco opened this issue 10 years ago • 1 comments

This is from the internal security review recommendations. It is not clear how Chef was installed in this report. Assigning to support-tools so we can check our automated install and the chef-server.rb that we drop. We should also investigate the RPC documented instructions and see of people should make changes to the defaults that omnibus chef installs.

Severity: Medium

Description / Exploit: The software transmits sensitive or security-critical data (administrative password) in cleartext in a communication channel that can be sniffed by unauthorized actors. On our test environment, we found two instances of the Chef UI running. One instance is on an encrypted port, the other is not. We suggest the unencrypted instance be disabled (port 8090).

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.221:8090/

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS), or disable the unencrypted port (port 8090).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

claco avatar Mar 17 '14 18:03 claco

This is odd. I don't see evidence of this. Here's a netstat from one of our chef servers:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      861/nginx.conf
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      877/beam.smp
tcp        0      0 0.0.0.0:43264           0.0.0.0:*               LISTEN      877/beam.smp
tcp        0      0 127.0.0.1:4321          0.0.0.0:*               LISTEN      906/beam.smp
tcp        0      0 127.0.0.1:5672          0.0.0.0:*               LISTEN      857/beam.smp
tcp        0      0 0.0.0.0:43722           0.0.0.0:*               LISTEN      906/beam.smp
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      861/nginx.conf
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      881/epmd
tcp        0      0 127.0.0.1:9462          0.0.0.0:*               LISTEN      845/config.ru
tcp        0      0 0.0.0.0:50807           0.0.0.0:*               LISTEN      857/beam.smp
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      865/postgres

odyssey4me avatar Mar 26 '14 12:03 odyssey4me