Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The puppet module does not validate the master's X.509 certificate #360

Closed
gunnarbeutner opened this issue Aug 22, 2017 · 3 comments
Closed

The puppet module does not validate the master's X.509 certificate #360

gunnarbeutner opened this issue Aug 22, 2017 · 3 comments
Assignees
@lbetz
Labels
bug enhancement
Milestone
v2.1.0

Comments

@gunnarbeutner
Copy link
Contributor

The puppet module fetches the master's certificate using the icinga2 pki save-cert CLI command but does not in any way validate that this certificate actually belongs to the correct Icinga master.

This presents an MITM vulnerability where an attacker could associate Icinga agents with a rogue Icinga master. Once that's done it can:

a) Retrieve check results from the agent
b) send commands to the agent (depending on whether accept_commands is set)
c) send config files to the agent (depending on whether accept_config is set).
@bobapple
Copy link
Contributor

bobapple commented Jan 8, 2018

references #365

@lbetz lbetz added this to the v2.0.0 milestone Jan 11, 2018
@lbetz lbetz mentioned this issue Oct 12, 2018
Open
@lbetz lbetz self-assigned this Oct 12, 2018
@lbetz lbetz removed this from the v2.0.0 milestone Feb 3, 2019
@lbetz lbetz removed their assignment Feb 12, 2019
@lbetz lbetz self-assigned this Apr 25, 2019
@lbetz lbetz added this to the v2.1.0 milestone Apr 25, 2019
@lbetz
Copy link
Contributor

lbetz commented Apr 25, 2019

Add an optional parameter to check the fingerprint and/or compare the trusted certificate with the parent cert.

@lbetz
Copy link
Contributor

lbetz commented Apr 29, 2019

The fingerprint ends with one or more whitespaces.

On Windows use
| findstr /R /C:"...[ ]*$"

On nix use
| grep "...\s$"

@lbetz lbetz closed this as completed in d3b6236 Apr 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lbetz lbetz

Labels
bug enhancement
Projects
None yet
Milestone
v2.1.0
Development

No branches or pull requests
3 participants
@gunnarbeutner @bobapple @lbetz