[Bug 1987842] Re: wireguard: netdev file can leak private key
Launchpad Bug Tracker
1987842 at bugs.launchpad.net
Thu Jul 4 19:48:24 UTC 2024
This bug was fixed in the package netplan.io - 1.0.1-1ubuntu1
---------------
netplan.io (1.0.1-1ubuntu1) oracular; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/p/0003-Revert-wait-online-disabled-wait-online-for-stable-1.patch:
Fix wait-online via s-n-wait-online.service.d/10-netplan.
- d/libnetplan1.symbols: Update for new (private) symbol
netplan.io (1.0.1-1) unstable; urgency=medium
* New upstream release: 1.0.1:
- sriov: accept setting the eswitch mode without VFs (LP: #2020409)
- cli/sriov: refactoring
- tests: use proper 0o600 file permissions in more places
- doc: Adding missing 'watchfiles' dependency for Sphinx
- doc: Minor fixes in lang. and mark-up in YAML reference
- doc: Tutorial reorg & lang. + formatting improvements
- networkd: add wait-online enumeration utils
- generate: enable systemd-networkd-wait-online for non-optional interfaces
- CLI:utils: Do not ask for daemon-reload password interactively
- CLI:generate: call daemon-reload after (re-)generating services
- wait-online: Do not block on loopback interface
- generate: Do not touch wait-online, if we don't have any networkd NetDefs
- wait-online: wait for existing interfaces only and downgrade operational
state for interfaces without IP configuration
- wait-online: account for DHCPv4/v6 addresses
- wait-online: do not require virtual devices to be created already
- wait-online: recognize that bridge/bond members will never gain
link-local addresses
- networkd:apply: Drop handling of legacy wpa@ instance units
- wait-online: disabled wait-online for stable 1.0
- test:integration: Try to improve test flakyness
- autopkgtest: More fixes for flaky 'ethernets' test
- Increase some test timeouts to account for slow (riscv64) buildds
SECURITY UPDATE:
- libnetplan: use more restrictive file permissions
(Closes: #1072789, LP: #2065738, LP: #1987842)
- CVE-2022-4968
- libnetplan: escape control characters
- backends: escape file paths
- backends: escape semicolons in service units (LP: #2066258)
Bug fixes:
- cli: Fix logging setup when python-rich is not present
- CI: fix DebCI case for no-change rebuilds
- CI: adopt autopkgtest for 1.0-1 on 22.04
- doc: Update README, move CODE_OF_CONDUCT
- doc: fix en_GB spelling
- CI: adopt snapd.patch for autopkgtest SRU (LP: #2051939)
- parse-nm: add a workaround for the DoT DNS option (LP: #2055148)
- CI: Install netplan-ci PPA
- parse: don't remove datalist items during iteration
- ATTN: parse/bonds: handle same primary in multiple bonds
- parse/bonds: don't fail on primary reassignment
- cli/sriov: set eswitch regardless of pcidev.vfs
- doc: Fix wrong bonds.parameters.mode syntax in example
- parse: fix redefinition of gateway(4|6)
- doc:tutorial: fix whitespace formatting
- util: fix potential NULL pointer assert
- python: elements of __all__ must be strings
- tests: fix diff test with iproute2 6.8
- cli/generate: skip daemon_reload with --mapping
- test: cleanup after wait_online test to fix DebCI
- CI: fork spread to get !179 fixes
- doc: Fix netplan-generate.md formatting !483
- emitter: allow unicode characters in the emitter (LP: #2071652)
- parse: do not escape all non-ascii bytes
* d/t/control: 'diff' autopkgtest is not flaky anymore
* d/patches: Drop patches, applied upstream
* d/p/0003: Update 'udevadm trigger' patch, using MOVE action (LP: #2071363)
* debian/netplan-generator.postinst: Add a postinst maintainer script to call
the generator, so the file permissions fixes will be applied automatically.
* d/libnetplan1.symbols: Update for new internal wait-online symbol
* d/copyright: Update for 2024
-- Lukas Märdian <slyon at ubuntu.com> Thu, 04 Jul 2024 16:00:36 +0200
** Changed in: netplan.io (Ubuntu Oracular)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1987842
Title:
wireguard: netdev file can leak private key
Status in Netplan:
Fix Released
Status in netplan.io package in Ubuntu:
Fix Released
Status in netplan.io source package in Focal:
Fix Released
Status in netplan.io source package in Jammy:
Fix Released
Status in netplan.io source package in Mantic:
Fix Released
Status in netplan.io source package in Noble:
Fix Released
Status in netplan.io source package in Oracular:
Fix Released
Bug description:
When using netplan with wireguard, netplan will render the
/run/systemd/network/10-netplan-${name}.netdev file with 0644
permissions.
That file contains the wireguard private key, which, if specified literally (instead of using a file), will leak that key to all local users of the system. This may not be desirable.
For example, I have this yaml in /etc/netplan/home0.yaml:
network:
version: 2
tunnels:
home0:
mode: wireguard
key: <base64 private key contents>
port: 51000
addresses: [10.10.11.2/24]
peers:
- keys:
public: <base64 public key contents>
endpoint: 10.48.132.39:51000
allowed-ips: [10.10.11.0/24,10.10.10.0/24]
routes:
- to: 10.10.10.0/24
from: 10.10.11.2
scope: link
When that is rendered and applied with `netplan apply`, this error is logged in /var/log/syslog:
Aug 26 14:23:30 laptop-coffee-shop systemd-networkd[537]: /run/systemd/network/10-netplan-home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.
And indeed, that file contains the same literal private key, as expected:
# cat /run/systemd/network/10-netplan-home0.netdev
[NetDev]
Name=home0
Kind=wireguard
[WireGuard]
PrivateKey=<base64 private key contents>
ListenPort=51000
[WireGuardPeer]
PublicKey=<base64 public key contents>
AllowedIPs=10.10.11.0/24,10.10.10.0/24
Endpoint=10.48.132.39:51000
Its permissions should probably be 0640 root:systemd-networkd.
This is not an issue if the private key is specified via a file, in
which case systemd-networkd won't even issue that warning.
To manage notifications about this bug go to:
https://bugs.launchpad.net/netplan/+bug/1987842/+subscriptions
More information about the foundations-bugs
mailing list