[Bug 1987842] Re: wireguard: netdev file can leak private key
Launchpad Bug Tracker
1987842 at bugs.launchpad.net
Wed Jun 26 13:55:48 UTC 2024
This bug was fixed in the package netplan.io - 1.0-2ubuntu1.1
---------------
netplan.io (1.0-2ubuntu1.1) noble-security; urgency=medium
* SECURITY UPDATE: weak permissions on secret files, command injection
- d/p/lp2065738/0014-libnetplan-use-more-restrictive-file-permissions.patch:
Use more restrictive file permissions to prevent unprivileged users to
read sensitive data from back end files (LP: #2065738, #1987842)
- CVE-2022-4968
- d/p/lp2066258/0015-libnetplan-escape-control-characters.patch:
Escape control characters in the parser and double quotes in backend
files.
- d/p/lp2066258/0016-backends-escape-file-paths.patch:
Escape special characters in file paths.
- d/p/lp2066258/0017-backends-escape-semicolons-in-service-units.patch:
Escape isolated semicolons in systemd service units. (LP: #2066258)
* debian/netplan-generator.postinst: Add a postinst maintainer script to call
the generator. It's needed so the file permissions fixes will be applied
automatically, thanks to danilogondolfo
-- Sudhakar Verma <sudhakar.verma at canonical.com> Tue, 25 Jun 2024
00:13:00 +0530
** Changed in: netplan.io (Ubuntu Noble)
Status: New => Fix Released
** Changed in: netplan.io (Ubuntu Focal)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1987842
Title:
wireguard: netdev file can leak private key
Status in Netplan:
Triaged
Status in netplan.io package in Ubuntu:
New
Status in netplan.io source package in Focal:
Fix Released
Status in netplan.io source package in Jammy:
New
Status in netplan.io source package in Mantic:
New
Status in netplan.io source package in Noble:
Fix Released
Status in netplan.io source package in Oracular:
New
Bug description:
When using netplan with wireguard, netplan will render the
/run/systemd/network/10-netplan-${name}.netdev file with 0644
permissions.
That file contains the wireguard private key, which, if specified literally (instead of using a file), will leak that key to all local users of the system. This may not be desirable.
For example, I have this yaml in /etc/netplan/home0.yaml:
network:
version: 2
tunnels:
home0:
mode: wireguard
key: <base64 private key contents>
port: 51000
addresses: [10.10.11.2/24]
peers:
- keys:
public: <base64 public key contents>
endpoint: 10.48.132.39:51000
allowed-ips: [10.10.11.0/24,10.10.10.0/24]
routes:
- to: 10.10.10.0/24
from: 10.10.11.2
scope: link
When that is rendered and applied with `netplan apply`, this error is logged in /var/log/syslog:
Aug 26 14:23:30 laptop-coffee-shop systemd-networkd[537]: /run/systemd/network/10-netplan-home0.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.
And indeed, that file contains the same literal private key, as expected:
# cat /run/systemd/network/10-netplan-home0.netdev
[NetDev]
Name=home0
Kind=wireguard
[WireGuard]
PrivateKey=<base64 private key contents>
ListenPort=51000
[WireGuardPeer]
PublicKey=<base64 public key contents>
AllowedIPs=10.10.11.0/24,10.10.10.0/24
Endpoint=10.48.132.39:51000
Its permissions should probably be 0640 root:systemd-networkd.
This is not an issue if the private key is specified via a file, in
which case systemd-networkd won't even issue that warning.
To manage notifications about this bug go to:
https://bugs.launchpad.net/netplan/+bug/1987842/+subscriptions
More information about the foundations-bugs
mailing list