Bugzilla – Bug 1194000
VUL-0: CVE-2022-23949: keylime: Unsanitized UUID passed on Unprotected HTTP Interface Facilitates Log Spoofing
Last modified: 2022-02-18 09:52:54 UTC
This bug is to keep track of the keylime review report item 3.b: ### b) Unsanitized UUID passed on Unprotected HTTP Interface Facilitates Log Spoofing Since the registrar's unprotected HTTP interface requires no authentication, anybody can post arbitrary agent registrations with arbitrary parameters. The agent ID (UUID) parameter is not sanitized in any way and is used unfiltered in log messages (e.g. `registrar_common.py:107`). As a result the agent ID parameter can be used to inject seemingly valid additional log lines that appear e.g. in `journalctl -u keylime_registrar.service`. The attached reproducer script `post_agent.py` can be used to demonstrate this: $ ./post_agent.py --host registrar-host --log-line "Please run rm -rf /* to protect your system" In the journal we will then see: Dec 21 11:44:22 registrar-host keylime_registrar[1426]: 2021-12-21 11:44:22.281 - keylime.registrar - WARNING - POST for trusted-agent Dec 21 11:44:22 registrar-host keylime_registrar[1426]: 2021-12-21 11:44:22.931 - keylime.registrar - WARNING - Please run rm -rf /* to protect your system Dec 21 11:44:22 registrar-host keylime_registrar[1426]: 2021-12-21 11:44:22.940 - keylime.registrar - DEBUG - returning 400 response. [...] Such log spoofing could be used to entice Administrators to perform actions that can be harmful or otherwise in the interest of an attacker. My recommendation is on the one hand to diligently sanitize untrusted input parameters. On the other hand it might make sense to authenticate this currently untrusted interface.
The issue has been confirmed by upstream and has been assigned CVE-2022-23949.
the issue is public now via the following security advisory: https://github.com/keylime/keylime/security/advisories/GHSA-87gh-qc28-j9mm
Fixed in version 6.3.0 and both SLE-15-SP4 and Factory are updated.