doc: CVE-2023-45140

2 years ago · 9d509b7f2d
parent 59b04ab761
commit 9d509b7f2d
4 changed files with 133 additions and 0 deletions
--- a/doc/sphinx/administration/security_advisories.rst
+++ b/doc/sphinx/administration/security_advisories.rst
@ -0,0 +1,13 @@
+Security Advisories
+===================
+
+This section contains all the security advisories since The Bastion has been published.
+
+If you find any behavior or bug that you suspect might have a security impact, please
+`report it here <https://github.com/ovh/the-bastion/security>`_.
+
+.. toctree::
+   :maxdepth: 1
+   :caption: CVE List
+
+   security_advisories/cve_2023_45140.rst
--- a/doc/sphinx/administration/security_advisories/cve_2023_45140.rst
+++ b/doc/sphinx/administration/security_advisories/cve_2023_45140.rst
@ -0,0 +1,79 @@
+==============
+CVE-2023-45140
+==============
+
+- ``Severity``: **4.8** (CVSS V3)
+- ``Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N``
+- ``Affected versions``: from 3.0.0 included to 3.14.15 excluded
+- ``Patched versions``: 3.14.15 and up
+
+`This advisory is also available online <https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x>`_.
+
+Summary
+=======
+
+SCP and SFTP plugins don't honor group-based and account-based JIT MFA.
+
+Details
+=======
+Establishing a SCP/SFTP connection through The Bastion via a group access where MFA is enforced does not ask for additional factor. This abnormal behavior only applies to `per-group-based JIT MFA <https://ovh.github.io/the-bastion/administration/mfa.html#on-a-per-group-basis>`_ and `JIT MFA on a per-account basis <https://ovh.github.io/the-bastion/administration/mfa.ht↪·ml#on-a-per-account-basis>`_.
+
+Other MFA setup types, such as `Immediate MFA <https://ovh.github.io/the-bastion/administration/mfa.html#immediate-mfa>`_ and `JIT MFA on a per-plugin basis <https://ovh.github.io/the-bastion/administration/mfa.html#on-a-per-plugin-basis>`_ are not affected.
+
+Normal SSH access (i.e. not SCP nor SFTP) is not affected.
+
+How to reproduce for group-based JIT MFA
+========================================
+- Create a group
+- Apply ``groupModify --mfa-required any`` to this group
+- Grant SSH access to someone via this group on a given IP
+- Grant ``scp`` download right (or ``sftp`` right) to the same person via this group on the same IP
+- This group should now force MFA for any connection of the person allowed through the group's rights set. This is the case for SSH, but not for SCP or SFTP as would be expected.
+
+How to reproduce for account-based JIT MFA
+==========================================
+- Create an account
+- Apply ``accountModify --personal-egress-mfa-required any`` to this account
+- Grant a personal SSH access to this account on a given IP
+- Grant ``scp`` download right (or ``sftp`` right) to the same account via their personal access on the same IP
+- This account should now have forced MFA for any egress connection allowed through their personal rights set. This is the case for SSH, but not for SCP or SFTP as would be expected.
+
+Impact for group-based JIT MFA
+==============================
+For an actor to be able to bypass MFA for scp/sftp to a given remote server, ALL the following conditions must apply:
+
+- The target server must be part of a group (and have the egress group's public key trusted in its :file:`authorized_keys` file)
+- The group must have JIT MFA enabled on it (through ``groupModify --mfa-required any``)
+- The actor must have an account on the bastion
+- The actor must be a member of the group (granted by the groups's gatekeepers)
+- scp and/or sftp must be globally enabled on the bastion (this is the default)
+- scp and/or sftp must be explicitly allowed to the given remote server through the group (granted by the groups's aclkeepers)
+
+When all conditions above apply, the actor would be able to use scp or sftp on the target server without requiring to provide an additional factor where it should.
+
+Impact for account-based JIT MFA
+================================
+For an actor to be able to bypass MFA for scp/sftp to a given remote server, ALL the following conditions must apply:
+
+- The target server must be part of the actor's account personal accesses (and have the account's egress public key trusted in its :file:`authorized_keys` file)
+- The account must have JIT MFA enabled on it (through ``accountModify --personal-egress-mfa-required any``)
+- scp and/or sftp must be globally enabled on the bastion (this is the default)
+- scp and/or sftp must be explicitly allowed to the given remote server through this account's personal accesses (granted by either ``selfAddPersonalAccess`` or ``accountAddPersonalAccess``)
+
+When all conditions above apply, the actor would be able to use scp or sftp on the target server without requiring to provide an additional factor where it should.
+
+Mitigation
+==========
+If you don't use the `per-group-based JIT MFA <https://ovh.github.io/the-bastion/administration/mfa.html#on-a-per-group-basis>`_ on any of your groups (through ``groupModify --mfa-required``), and don't use the `JIT MFA on a per-account basis <https://ovh.gi↪·thub.io/the-bastion/administration/mfa.ht↪·ml#on-a-per-account-basis>`_ (through ``accountModify --personal-egress-mfa-required``), you don't need to mitigate the issue as you don't use the impacted feature (see above for impact details).
+
+Otherwise, if you can't immediately upgrade to v3.14.15 or more recent, and you feel that the aforementioned impacts are important enough in your environment, you may choose to temporarily disable the ``scp`` and ``sftp`` plugins globally on the bastion, by setting ``"disabled": true`` in these plugins configuration files, which can be found in :file:`/etc/bastion/plugin.scp.conf` and :file:`/etc/bastion/plugin.sftp.conf` respectively. If these files don't exist, create them with the contents as ``{ "disabled": true }``. They should be readable by anyone but modifiable only by root (i.e. ``chmod 664; chown root:root``)
+
+Timeline
+========
+
+- 2023-10-06: security bug report filed on GitHub
+- 2023-10-06: bug report accepted and confirmed as having a security impact
+- 2023-10-11: CVE ID requested
+- 2023-10-11: CVE ID assigned
+- 2023-11-07: fix pushed to a private fork for review
+- 2023-11-xx: v3.14.15 released with the fix
--- a/doc/sphinx/index.rst
+++ b/doc/sphinx/index.rst
@ -78,6 +78,7 @@ The unavoidable and iconic FAQ is also available under the **PRESENTATION** sect
   administration/configuration/index
   administration/logs
   administration/mfa
+   administration/security_advisories

 .. toctree::
   :maxdepth: 2
--- a/doc/sphinx/installation/upgrading.rst
+++ b/doc/sphinx/installation/upgrading.rst
@ -27,6 +27,46 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================

+v3.14.15 - 2023/11/xx
+*********************
+
+This release fixes the :doc:`/administration/security_advisories/cve_2023_45140` with severity 4.8 (CVSS V3).
+Please refer to its page for impact and mitigation details.
+
+The changes introduced to fix this vulnerability imply that if you're using the ``scp`` or ``sftp`` plugins,
+you'll need to update your wrappers using the new versions provided by this release. The old helpers will still
+work, but only for remote hosts that don't require MFA.
+
+To get the new wrappers for your account on a given bastion, just call ``--osh scp`` or ``--osh sftp`` without
+specifying any host, which will give you your script, and examples of use.
+As you'll notice, the new scripts are no longer helpers (that were to be used through ``scp -S`` and
+``sftp -S``), but wrappers, that will call  ``scp`` and ``sftp`` themselves.
+
+As outlined above, the old helpers will still work for the foreseeable future, but as they're not able to
+request MFA when this is configured for a remote host, they'll simply fail for such hosts on an updated
+version of the bastion.
+
+If you have some accounts that use automated accesses through the bastion and use ``scp`` or ``sftp`` on
+hosts that have JIT MFA configured through their group, you'll need to set these accounts as immune to JIT MFA,
+which can be done through :doc:`/plugins/restricted/accountModify`'s ``--mfa-password-required bypass``
+and/or ``accountModify --mfa-totp-required bypass``, as has always been the case for classic SSH access.
+
+An HMAC shared secret is automatically generated when this release is deployed, this secret must be shared
+by all the instances of the same cluster. Hence, you should start by deploying this release on the primary
+node, which will generate the secret automatically during the standard upgrading procedure, so that this
+node can push the shared-secret to the other nodes. The other nodes don't have to be upgraded beforehand,
+they'll just not use the secret until they're upgraded to this version, and JIT MFA for ``scp`` and ``sftp``
+will not work through them until this is the case. Once the primary node is upgraded, you should restart
+the synchronization daemon, so that it takes into consideration the new file (containing the shared secret)
+to push to the other nodes. This is usually done this way:
+
+.. code-block:: shell
+   :emphasize-lines: 1
+
+   systemctl restart osh-sync-watcher
+
+You can verify on the other nodes that the ``/etc/bastion/mfa-token.conf`` file is now present.
+
 v3.14.00 - 2023/09/19
 *********************