2018-0312 Solution - No Secrets To Success

Challenge type: Code review

Affected: OpenStack/tripleo-heat-templates

Fixed in: version 8.0.0.0b2

Original code: found here

Description

This week's challenge was slightly different, still a code review but we took a look at some configuration management config this time. There are keys being created, however, the file permissions associated with these keys are set up such that an attacker with local access could read or modify the value of the key. These permissions would allow an attacker to access the underlying data that these keys are intended to protect.

To learn more about the importance of file permissions and how they can impact security, take a look at the following articles:

Solution

The solution for this vulnerability requires that the developer update the permissions for the keys from their original value "0644" which is a read/write setting to "0600" where only the owner can read and write. The owner, in this case, is the OpenStack service, not an attacker with local access to the system.

Take a look at the code below to see how it looks.

If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.

Leave a comment