Fix a vulnerability in management services that enables unauthenticated server to submit management requests on other members’ behalf.
About the vulnerability
The management services on the Central Server are exposed through port 4001.
The port needs to be open so that Security Servers can send the authentication certificate registration requests (authCertReg) to the Central Server.
It is assumed that all other management requests must go through the management Security Server.
The management Security Server is responsible for authentication.
However, the other management services - Security Server client registration request (clientReg), Security Server client deletion request (clientDeletion), Security Server authentication certificate deletion request (authCertDeletion) - can also be reached directly via port 4001 without authentication.
All Security Servers at least need to have access to port 4001 on the Central Server.
If one has access to port 4001 on Central Server:
It is possible to send an unauthenticated clientDeletion request, and the Central Server will delete the client.
It is possible to send an unauthenticated clientReg request, and the Central Server will create a client registration request.
It is possible to send an unauthenticated authCertDeletion request, and the Central Server will delete the authentication certificate. The authentication certificate to be deleted is sent as a request parameter and therefore, the sender of the request must have access to the certificate to be deleted.
In addition, it’s possible to launch the generation of the global configuration remotely by accessing "https://<CENTRAL_SERVER_HOST>:4001/managementservice/gen_conf". The content of global configuration cannot be modified, but that the generation creates at least some CPU load, and might cause a DoS by filling up the disk.
The vulnerability has been fixed splitting management services in two:
Authentication certificate registration service (authCertReg)
Runs on port 4001
Security Server client registration service (clientReg), Security Server client deletion service (clientDeletion), authentication certificate deletion service (authCertDeletion)
Run on port 4002
Before the fix, all management services were running on port 4001. After the fix, authCertReg runs on port 4001 and other management services on port 4002. In this way access to authentication certificate registration service and other management services can be controlled separately by a firewall as they run on different ports. Access to port 4002 must be allowed from management Security Server(s) only.
In addition, it is not possible to launch the generation of the global configuration through port 4001 anymore. The generation of the global configuration can be launched from localhost (Central Server) or through port 4400.
Changes to configuration
After the fix has been applied, the X-Road operator must update the management services URL on management Security Server(s). The new management services URL depends on whether management services are accessed using HTTP or HTTPS.