The CFEngine engineering team has recently discovered a severe security issue in the CFEngine Enterprise product. CFEngine is using some internal secrets for authentication to the Mission Portal API and the PostgreSQL database when running background maintenance tasks. These internal secrets are randomly generated during the installation process and stored in files which only the root user has access to. Unfortunately, the commands that generate and store the secrets were being logged to the
/var/log/CFEngineHub-Install.log installation log which was world-readable and thus accessible for any user logged in to the system (on the hub machine). Please note that this only affects the hub hosts, agent hosts don't generate and use such internal secrets.
To find out if a system is affected, check the permissions of the
/var/log/CFEngineHub-Install.log file and check if the secrets are there. This is an easy way to perform such check:
$ ll -d /var/log/CFEngineHub-Install.log -rw-r--r--. 1 root root 36410 May 23 11:27 /var/log/CFEngineHub-Install.log $ grep -P '(SECRET|PW)' /var/log/CFEngineHub-Install.log + '[' -f /var/cfengine/CF_CLIENT_SECRET_KEY.tmp ']' + sed -i s/CFE_CLIENT_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/GUI/application/config/appsettings.php + sed -i s/CFE_CLIENT_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/db/ootb_settings.sql + sed -i s/LDAP_API_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/GUI/application/config/appsettings.php + sed -i s/LDAP_API_SECRET_KEY/wBosnkNR247KLVJpIvJYXSAp8zJv1259/ /var/cfengine/share/GUI/ldap/config/settings.php + sed -i '/LDAP_API_SECRET_KEY/s/'\'''\''/'\''wBosnkNR247KLVJpIvJYXSAp8zJv1259'\''/' /var/cfengine/share/GUI/api/config/config.php + CFE_ROBOT_PWD=eFKzEV7yr5Xv0FiYRwLZxIJA7DLT6OXS + rm -f /var/cfengine/CF_CLIENT_SECRET_KEY.tmp
The above results are from an affected host, the log file is world-readable (the third
r in the permissions) and it contains the secrets.
CFE_ROBOT Mission Portal user has the admin role. Logging in to Mission Portal or authenticating to the API as this user would allow the attacker to change any configurable option in Mission Portal, add, modify or delete user accounts or even change the version control system configuration to distribute policy of their choice to all hosts bootstrapped to an affected hub (including the hub itself).
Any user logged in to an affected hub's operating system can read the authentication secrets from the
/var/log/CFEngineHub-Install.log log file.
In order to mitigate the issue, the secrets need to be rotated (regenerated). Care must be taken to avoid logging the new secrets in some place accessible to non-root users.
The CFEngine team provides two options to rotate the secrets:
- a shell script (checksum,
- a policy (checksum,
Administrators of affected systems are advised to download and run the shell script or the policy, or to manually execute the steps based on the contents of the shell script.
The CFEngine team has also patched the installation scripts to:
- set the correct permissions for the
/var/log/CFEngineHub-Install.loginstallation log file,
- avoid leaking internal authentication secrets into the log file and to
- rotate the internal authentication secrets when upgrading CFEngine.
These patches are included in both of the recent LTS releases – 3.10.6 and 3.12.2 – and will also be included in the upcoming non-LTS 3.14.0 release. In the 3.14.0 release the
CFE_ROBOT user will no longer have the admin role, but a more restricted access.
This issue has been registered as CVE-2019-9929 in the official public CVE registry.
We have been in contact with and provided a solution to all our customers in advance of publishing this. In case of any questions, feel free to contact us.