SB2020081020 - Multiple vulnerabilities in etcd

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Weak password requirements (CVE-ID: CVE-2020-15115)

The vulnerability allows an attacker to perform brute-force attack and guess the password.

The vulnerability exists due to weak password requirements in etcd. An attacker can perform a brute-force attack and guess users' passwords.

2) Resource management error (CVE-ID: CVE-2020-15106)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application, as a large slice causes panic in decodeRecord method. A remote attacker can  forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.

3) Improper Preservation of Permissions (CVE-ID: CVE-2020-15113)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software improperly sets permissions to certain directory paths in case they were previously created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients). A local user can gain unauthorized access to sensitive information on the system.

4) Resource management error (CVE-ID: CVE-2020-15112)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application, as it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

5) Resource exhaustion (CVE-ID: CVE-2020-15114)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote authenticated user can include the gateway address as an endpoint, trigger resource exhaustion and perform a denial of service (DoS) attack.

6) Improper Authentication (CVE-ID: CVE-2020-15136)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag.

Remediation

Install update from vendor's website.

References

• https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
• https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
• https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92
• https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93
• https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224
• https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md
• https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q