Bug #4824

No package verification nor download integrity on CentOS/RHEL repositories

Added by Jimb0 Hon1nbo about 4 years ago. Updated over 3 years ago.

Status:ClosedStart date:09/26/2016
Priority:HighDue date:
Assignee:Vlastimil Holer% Done:

0%

Category:Packaging
Target version:Release 5.4
Resolution: Pull request:https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa
Affected Versions:OpenNebula 4.0, OpenNebula 4.10, OpenNebula 4.12, OpenNebula 4.14, OpenNebula 4.2, OpenNebula 4.4, OpenNebula 4.6, OpenNebula 4.8, OpenNebula 5.0

Description

There is a major security issue regarding the packages for CentOS/RHEL.
Not only is there no GPG signature that can be checked, but HTTPS is not enabled as well.

Someone can effectively man in the middle the repository and no one would be able to tell the difference. This can allow for remote code execution in sensitive environments.

The proper fix for this, and what any major project should be doing is, to sign the packages with GPG and enable the key check. You can require a key download as part of the step, just ensure it is either done over HTTPS or that there is another way to check the key integrity.
If this is somehow not feasible, one can enable HTTPS on the repository server. Since Let's Encrypt has become public there is no reason for software source to not be served securely nor without signatures.

Cheers,
~H

History

#1 Updated by Jimb0 Hon1nbo about 4 years ago

surprised this isn't even assigned. Since the packages for APT have a signing key this should be a relatively trivial fix for such a massive security issue.

Right now this could be considered an RCE with a very high CVSS score.

#2 Updated by Ruben S. Montero about 4 years ago

  • Target version set to Release 5.4

Thanks!

#3 Updated by Ruben S. Montero almost 4 years ago

  • Category set to Packaging

#4 Updated by Javi Fontan almost 4 years ago

  • Assignee set to Javi Fontan

From now on the new repositories will have both the rpm packages and repository signed. The key is the same as Debian repos (https://downloads.opennebula.org/repo/Debian/repo.key).

Also the downloads server can now be accessed using https (Let's Encrypt certificates).

I'll leave this ticket open to update the documentation and testing environment. Here is the repo conf to use as base for documentation:

[opennebula]
name=opennebula
baseurl=https://downloads.opennebula.org/repo/...
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://downloads.opennebula.org/repo/Debian/repo.key

Is repo_gpgkey really needed?

#5 Updated by Javi Fontan almost 4 years ago

  • Assignee changed from Javi Fontan to Vlastimil Holer

#6 Updated by Vlastimil Holer over 3 years ago

  • Pull request set to https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa
I have prepared the change of the documentation so that
  • https is used for (apt/yum) repositories and
  • gpgcheck=1 is enabled (leaving repo_gpgcheck commented) for yum.

https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa

#7 Updated by Vlastimil Holer over 3 years ago

  • Status changed from Pending to Closed

Change in documentation merged by Javi, closing.

Thank you.

Also available in: Atom PDF