Uploaded image for project: 'Facter'
  1. Facter
  2. FACT-800

facter returns sensitive information about EC2 IAM tokens

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: FACT 2.3.0
    • Fix Version/s: FACT 2.4.1
    • Component/s: None
    • Labels:
      None
    • Environment:

      PE 3.7.1

    • Template:
    • Story Points:
      1
    • CVE-ID:
      CVE-2015-1426
    • Sprint:
      Client 2015-02-04

      Description

      Facter scrapes everything about an ec2 nodes metadata and reports on it, this includes the temporary auth tokens that nodes are given via IAM that allow them to perform tasks against the AWS api's themselves.

      Specifically, this is meant to be sensitive data that shouldn't leave a host machine, so a user running facter on a machine with an IAM Profile attached to it would now be distributing their tokens (and secret keys) allowing someone else to provision nodes in AWS, etc based on the security level of those profiles. The tokens by default are refreshed every twelve hours, but facter will collect them every puppet run, providing a user the latest tokens as needed.

      Facter fact results starting with ec2_iam_security_credentials_ should be excluded from the facter output, the ones starting with ec2_iam_info* are safe as they just refer to the IAM profile name and last time it was modified.

      Example output on a node given an Admin level IAM Profile:

      facter -p ec2_iam_security_credentials_admin_5
      "SecretAccessKey" : "uB8lC......"

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  cbarker Chris Barker
                  QA Contact:
                  Kurt Wall
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support