-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0.beta
-
None
-
keylime-7.9.0-7.el10
-
No
-
None
-
2
-
rhel-sst-security-special-projects
-
ssg_security
-
26
-
None
-
False
-
-
Yes
-
SECENGSP Cycle 6, SECENGSP Cycle 7
-
- keylime revocation notifier must use TLS
-
Pass
-
Automated
-
Removed Functionality
-
-
Done
-
None
What were you trying to do that didn't work?
The verifier does not enforce the use of TLS for the connection between the verifier and the revocation notification webhook when TLS is enabled in configuration.
This means that if the webhook does not provide a certificate, the connection is established without TLS and the revocation notification is transferred in plaintext. This can be dangerous if the revocation notification includes sensitive data.
Please provide the package NVR for which bug is seen:
keylime-7.3.0-13.el9_3.src.rpm
How reproducible:
100%
Steps to reproduce
- Set up a webhook without TLS to receive the revocation notifications. For testing purposes, a simple ncat is sufficient. For example:
$ ncat --no-shutdown -k -l 8080 -c '/usr/bin/sleep 3 && echo HTTP/1.1 200 OK' -o logfile &
- Starting with the default configuration, configure the verifier to send revocation notifications to the webhook by setting the following options
enabled_revocation_notifications = ['agent', 'webhook']
webhook_url = "localhost:8080"
- Start the Keylime verifier, Keylime registrar, and Keylime agent. Enroll the agent to the verifier using the Keylime tenant. Make the agent to fail attestation by running a script that is not included in the runtime policy
Expected results
The connection between the verifier and the webhook should not be established due to lack of server certificate. The webhook server should not receive the revocation notification.
Actual results
The connection is established without TLS and the server receives the revocation notification.
- links to
-
RHBA-2024:136504 keylime bug fix and enhancement update