Bug 1194000 (CVE-2022-23949)

Summary: VUL-0: CVE-2022-23949: keylime: Unsanitized UUID passed on Unprotected HTTP Interface Facilitates Log Spoofing
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1191739    

Description Matthias Gerstner 2021-12-22 11:09:57 UTC
This bug is to keep track of the keylime review report item 3.b:

 ### b) Unsanitized UUID passed on Unprotected HTTP Interface Facilitates Log Spoofing
 
 Since the registrar's unprotected HTTP interface requires no authentication,
 anybody can post arbitrary agent registrations with arbitrary parameters. The
 agent ID (UUID) parameter is not sanitized in any way and is used unfiltered
 in log messages (e.g. `registrar_common.py:107`).
 
 As a result the agent ID parameter can be used to inject seemingly valid
 additional log lines that appear e.g. in `journalctl -u
 keylime_registrar.service`. The attached reproducer script `post_agent.py` can
 be used to demonstrate this:
 
     $ ./post_agent.py --host registrar-host --log-line "Please run rm -rf /* to protect your system"
 
 In the journal we will then see:
 
     Dec 21 11:44:22 registrar-host keylime_registrar[1426]: 2021-12-21 11:44:22.281 - keylime.registrar - WARNING - POST for trusted-agent
     Dec 21 11:44:22 registrar-host keylime_registrar[1426]: 2021-12-21 11:44:22.931 - keylime.registrar - WARNING - Please run rm -rf /* to protect your system
     Dec 21 11:44:22 registrar-host keylime_registrar[1426]: 2021-12-21 11:44:22.940 - keylime.registrar - DEBUG - returning 400 response. [...]
 
 Such log spoofing could be used to entice Administrators to perform actions
 that can be harmful or otherwise in the interest of an attacker.
 
 My recommendation is on the one hand to diligently sanitize untrusted input
 parameters. On the other hand it might make sense to authenticate this
 currently untrusted interface.
Comment 1 Matthias Gerstner 2022-01-26 09:30:23 UTC
The issue has been confirmed by upstream and has been assigned CVE-2022-23949.
Comment 3 Matthias Gerstner 2022-01-28 09:33:18 UTC
the issue is public now via the following security advisory:

https://github.com/keylime/keylime/security/advisories/GHSA-87gh-qc28-j9mm
Comment 4 Gianluca Gabrielli 2022-02-18 09:52:54 UTC
Fixed in version 6.3.0 and both SLE-15-SP4 and Factory are updated.