CVE-2016-3107

Vulnerability

The Node certificate in Pulp versions prior to 2.8.3 contains the private key and is stored in a world-readable file at /etc/pki/pulp/nodes/node.crt [1][2]. The certificate is generated by the script pulp-gen-nodes-certificate, which originally set file permissions to 644 (world-readable) and owned by root [3][4]. This affects Pulp up to and including version 2.8.2 [2].

Exploitation

Any local user on the system can read the file /etc/pki/pulp/nodes/node.crt and extract the private key contained within it [1][3]. No authentication or special privileges are required beyond local access to the filesystem [3]. The attack does not require any user interaction beyond normal system access.

Impact

Successful exploitation allows a local attacker to obtain the private key associated with a Pulp node certificate [1][2]. This can lead to unauthorized access to sensitive data, as the private key can be used to impersonate the node or decrypt communications [3]. The impact is considered moderate, as it requires local access but provides access to cryptographic material [2].

Mitigation

The vulnerability is fixed in Pulp 2.8.3, released on or around May 19, 2016 [2]. The fix changes the file permissions to 640 and sets group ownership to apache, ensuring only the apache user and group can read the file [4]. Red Hat Satellite 6.2 addressed this via RHBA-2016:1501 [1]. Users should upgrade to Pulp 2.8.3 or later; no workaround is documented.