[FACT-800] facter returns sensitive information about EC2 IAM tokens Created: 2015/01/27  Updated: 2016/03/09  Resolved: 2015/02/10

Status: Closed
Project: Facter
Component/s: None
Affects Version/s: FACT 2.3.0
Fix Version/s: FACT 2.4.1

Type: Bug Priority: Major
Reporter: Chris Barker Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

PE 3.7.1

Issue Links:
blocks FACT-806 facter 2.4.1 2015.02.10 Release Resolved
Epic Link: 2015 Security Fixes
Story Points: 1
CVE-ID: CVE-2015-1426
Sprint: Client 2015-02-04
QA Contact: Kurt Wall


Facter scrapes everything about an ec2 nodes metadata and reports on it, this includes the temporary auth tokens that nodes are given via IAM that allow them to perform tasks against the AWS api's themselves.

Specifically, this is meant to be sensitive data that shouldn't leave a host machine, so a user running facter on a machine with an IAM Profile attached to it would now be distributing their tokens (and secret keys) allowing someone else to provision nodes in AWS, etc based on the security level of those profiles. The tokens by default are refreshed every twelve hours, but facter will collect them every puppet run, providing a user the latest tokens as needed.

Facter fact results starting with ec2_iam_security_credentials_ should be excluded from the facter output, the ones starting with ec2_iam_info* are safe as they just refer to the IAM profile name and last time it was modified.

Example output on a node given an Admin level IAM Profile:

facter -p ec2_iam_security_credentials_admin_5
"SecretAccessKey" : "uB8lC......"

Comment by Geoff Nichols [ 2015/01/30 ]

Josh Cooper and Peter Huene, is it ok to cherry-pick this fix for inclusion in pe-facter (https://github.com/puppetlabs/pe-facter/pull/34)?

Comment by John Duarte [ 2015/01/30 ]

Peter Huene, Geoff Nichols can IAM tokens be nested below root of the IAM?

If I alter the spec test to include a security-credentials dir below the IAM root, the test fails.

Altered test

  it 'filters out IAM security credentials' do
    subject.expects(:fetch_endpoint).with('iam/').returns(['foo', 'security-credentials/', 'bar/', 'qux'])
    output = subject.fetch
    expect(output).to eq({
      'iam' => {
        'foo' => 'baz',
        'bar' => {
          'baz' => 'foo'
        'qux' => '',

The returned result includes the security-credentials unexpectedly

  1) Facter::EC2::Metadata filters out IAM security credentials
     Failure/Error: expect(output).to eq({
       expected: {"iam"=>{"foo"=>"baz", "bar"=>{"baz"=>"foo"}, "qux"=>""}}
            got: {"iam"=>{"foo"=>"baz", "bar"=>{"baz"=>"foo"}, "qux"=>"security-credentials/"}}
       (compared using ==)
       @@ -1,2 +1,2 @@
       -"iam" => {"foo"=>"baz", "bar"=>{"baz"=>"foo"}, "qux"=>""}
       +"iam" => {"foo"=>"baz", "bar"=>{"baz"=>"foo"}, "qux"=>"security-credentials/"}

Comment by Peter Huene [ 2015/01/30 ]

It isn't currently in the metadata schema (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html). Also, it's expected that security-credentials be non-leaf (i.e. it contains child values). Thus the trailing slash is important as it means you can query it for child values (the child values are the ones that are sensitive).

Comment by Peter Huene [ 2015/01/30 ]

Also, this should be fine to cherry-pick.

Comment by Geoff Nichols [ 2015/02/03 ]

For PE, this fix is also in the puppet-enterprise-3.7.2-rc2 build as pe-facter

Comment by Kurt Wall [ 2015/02/03 ]

Unable to verify because I don't have permission to create/manage IAM roles. When I try to do so, AWS's browser console responds:

We encountered the following errors while processing your request:
 User: arn:aws:iam::482693910459:user/kurt.wall is not authorized to perform: iam:GetAccountSummary
 User: arn:aws:iam::482693910459:user/kurt.wall is not authorized to perform: iam:ListAccountAliases

Running against a non-IAM system, facter does not display ec2_iam facts. I don't know if doing so is useful; wanted to cover the option for thoroughness.

# bundle exec facter -p | grep -nic ^ec2
# bundle exec facter -p | grep -nic ^iam

Comment by Kurt Wall [ 2015/02/03 ]

Facter doesn't to load security-credentials/ on non-IAM hosts. Putting this in here to remind me of the REST URL to use.

 curl -L -v --url
* About to connect() to port 80 (#0)
*   Trying connected
* Connected to ( port 80 (#0)
> GET /2008-02-01/meta-data/ HTTP/1.0
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host:
> Accept: */*
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/plain
< Accept-Ranges: bytes
< ETag: "2275137257"
< Last-Modified: Tue, 03 Feb 2015 17:06:39 GMT
< Content-Length: 239
< Connection: close
< Date: Tue, 03 Feb 2015 19:29:32 GMT
< Server: EC2ws
* Closing connection #0

Comment by Kurt Wall [ 2015/02/03 ]

TestRail-ed as C63177

Comment by Peter Huene [ 2015/02/10 ]

This has been merged to stable with e546bc546e.

Comment by Peter Huene [ 2015/02/10 ]

Released in Facter 2.4.1.

Generated at Mon Oct 14 06:32:58 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.