[Bug 2065738] Re: Leaks wireguard keys
Launchpad Bug Tracker
2065738 at bugs.launchpad.net
Wed Jun 26 13:55:48 UTC 2024
*** This bug is a duplicate of bug 1987842 ***
https://bugs.launchpad.net/bugs/1987842
This bug was fixed in the package netplan.io - 1.0-2ubuntu1.1
---------------
netplan.io (1.0-2ubuntu1.1) noble-security; urgency=medium
* SECURITY UPDATE: weak permissions on secret files, command injection
- d/p/lp2065738/0014-libnetplan-use-more-restrictive-file-permissions.patch:
Use more restrictive file permissions to prevent unprivileged users to
read sensitive data from back end files (LP: #2065738, #1987842)
- CVE-2022-4968
- d/p/lp2066258/0015-libnetplan-escape-control-characters.patch:
Escape control characters in the parser and double quotes in backend
files.
- d/p/lp2066258/0016-backends-escape-file-paths.patch:
Escape special characters in file paths.
- d/p/lp2066258/0017-backends-escape-semicolons-in-service-units.patch:
Escape isolated semicolons in systemd service units. (LP: #2066258)
* debian/netplan-generator.postinst: Add a postinst maintainer script to call
the generator. It's needed so the file permissions fixes will be applied
automatically, thanks to danilogondolfo
-- Sudhakar Verma <sudhakar.verma at canonical.com> Tue, 25 Jun 2024
00:13:00 +0530
** Changed in: netplan.io (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to netplan.io in Ubuntu.
Matching subscriptions: foundations-bugs
https://bugs.launchpad.net/bugs/2065738
Title:
Leaks wireguard keys
Status in netplan.io package in Ubuntu:
Fix Released
Bug description:
My netplan configuration is mode 600 (root read-write only), as it
contains a wireguard VPN configuration, including a private key.
Unfortunately, while netplan renders the wireguard interface
correctly, it does so with world-readable files in
/run/systemd/network, leaving the wireguard private key exposed to
other processes. To reproduce:
1. Generate wireguard key-pair on client: wg genkey | tee key | wg pubkey > key.pub
2. cat key
+I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=
3. cat key.pub
RwBIJkrps+oi3N75shwzyivUhwrvn5MagmznfibQdDU=
4. Configure netplan with wireguard client configuration
(/etc/netplan/50-cloud-init.yaml):
network:
version: 2
ethernets:
eth0:
dhcp4: true
tunnels:
wg0:
mode: wireguard
optional: true
key: +I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=
addresses:
- 192.168.2.5/24
nameservers:
search: [waveform.org.uk]
addresses: [192.168.2.1]
routes:
- to: 192.168.2.0/24
peers:
- allowed-ips:
- 192.168.2.0/24
endpoint: 1.2.3.4:41194
keys:
public: RwBIJkrps+oi3N75shwzyivUhwrvn5MagmznfibQdDU=
5. Run sudo netplan apply
6. Check modes of netplan configuration and the generated configuration under /run/systemd/network
$ ls -l /etc/netplan/50-cloud-init.yaml
-rw------- 1 root root 900 May 13 17:16 50-cloud-init.yaml
$ ls -l /run/systemd/network/*wg0*
-rw-r--r-- 1 root root 246 Apr 19 15:25 10-netplan-wg0.netdev
-rw-r--r-- 1 root root 194 Apr 19 15:25 10-netplan-wg0.network
7. Check your private key in /run/systemd/network/10-netplan-
wg0.netdev from an unprivileged user:
$ sudo grep key: /etc/netplan/50-cloud-init.yaml
key: +I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=
$ grep PrivateKey= /run/systemd/network/10-netplan-wg0.netdev
PrivateKey=+I55zxsqXrV7mZ0AUogz9jb3s82kBn42qxS8XWwgrWw=
(the keys above are ephemeral ones I generated for the purpose of this
report; they're not secret and can be exposed without harm)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738/+subscriptions
More information about the foundations-bugs
mailing list