You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All secrets for all products are available on the internet to unauthenticated users
Consul's method of controlling access to the secrets which it stores is by requiring that clients requesting secrets authenticate themselves with a x509 keypair signed request. The request must be signed by a x509 keypair which has been signed by a predefined certificate authority. The consul server has the public key of this certificate authority set so that only clients with certs signed by that CA can request secrets.
All consul clients use the came client certificate
The result of this is that any instance in any product can fetch all secrets for all products. It also means that anyone on the internet can fetch all secrets for all products.
A planned mitigation for this issue is to enable jenkins to provision an ACL token from Consul and inject it into a stack via CloudFormation and then into the ec2 instance via user_data
This security control will reduce this risk but it will remain significant. In a model with this security control, the ACL token and by extension all secrets which that instance has access to (or all secrets if there is no ACL differentiation) are available to all users with the ability to read CloudFormation stack outputs or to read instance user_data (which is currently planned to be all Mozilla employees).
Recommendations :
Create a bootstrap process so that fetching the secrets is an authenticated process. For example Jenkins generates and signes an x509 key pair which it distributes to the instances in the stack using KMS for encryption and DynamoDB for storage (e.g. credstash) during instance creation.
Consul web ui access should use LDAP and MFA (or Okta)
The text was updated successfully, but these errors were encountered:
From https://mana.mozilla.org/wiki/display/SECURITY/Nubis#Nubis-#insecureconsulaccess
All secrets for all products are available on the internet to unauthenticated users
Consul's method of controlling access to the secrets which it stores is by requiring that clients requesting secrets authenticate themselves with a x509 keypair signed request. The request must be signed by a x509 keypair which has been signed by a predefined certificate authority. The consul server has the public key of this certificate authority set so that only clients with certs signed by that CA can request secrets.
https://github.com/Nubisproject/nubis-base/blob/9faad0ff20e4964579bea09b5c7737e9426a753f/nubis/bin/consul-autojoin.sh#L61-L62
A planned mitigation for this issue is to enable jenkins to provision an ACL token from Consul and inject it into a stack via CloudFormation and then into the ec2 instance via user_data
This security control will reduce this risk but it will remain significant. In a model with this security control, the ACL token and by extension all secrets which that instance has access to (or all secrets if there is no ACL differentiation) are available to all users with the ability to read CloudFormation stack outputs or to read instance user_data (which is currently planned to be all Mozilla employees).
Recommendations :
The text was updated successfully, but these errors were encountered: