As multiple security concerns appeared when performing the security review of 
this package, I had a discussion with Jean and Didier from the owning team. We 
concluded that reporting these issues before offering the final MIR report 
would be best. This is because no user is affected (as the package is still in
beta), and transparency will catalyse the fixes.

The concerns found are as follows:

1. Insecure gRPC communication: Because 
credentials/insecure) is used in `internal/controlstream/session.go`, the 
created gRPC connections are unencrypted and unauthenticated. A malicious 
unprivileged user could make the agent connect the host to a rogue Landscape 
server, leading to command execution. As discussed with Didier, encryption 
seems unfeasible due to Windows Defender. A mitigation here will involve 
authentication (possibly with certificates), ensuring that the communication of 
the Ubuntu agent will occur only with the trusted Windows service.
2. Information leak in the temporary Landscape configuration file: 
`/etc/landscape/client.conf.new` is a temporary file created by the Ubuntu 
service in `internal/system/landscape.go` to store the Landscape configuration. 
This file can also store sensitive information such as the account-wide 
registration key, `registration_key`. This could lead to auto-registration of 
any computer on the Landscape server. As a mitigation, the permission model 
could be adjusted so that only the Landscape client can read it, not any user.
3. Command execution inside the Windows host: In `internal/system/system.go`, 
all mounts are iterated and checked for communication with the 9P protocol 
(which is standard for the second version of WSL). These drives are checked 
with `s.findCmdExe()` to contain the `cmd.exe` executable. [As USB drives can 
be made visible inside the WSL 
instance](https://learn.microsoft.com/en-us/windows/wsl/connect-usb), it may be 
possible for a rogue `cmd.exe` executable file from a USB drive to be executed. 
As discussed with Jean and Didier, this assumption should be manually validated.
4. Crash when using IPv6 domain servers: When detecting the address of the 
Windows host, the agent checks if the NAT mode is used. If so, then the 
`/etc/resolv.conf` file is parsed in search of `nameserver` entries. If the 
entry is an IPv6 entry, the address will be concatenated with the port using 
the `Sprintf` function. The result of this concatenation is ambiguous because 
it's not using the `[<ip>]:<port>` IPv6 notation, further connections may 
crash. Please see [this](https://github.com/golang/go/issues/28308) proposed 
Golang vet check.

Let me know if there is anything I can assist with in the meantime.

Many thanks!

** Bug watch added: github.com/golang/go/issues #28308

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  [MIR] wsl-pro-service

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to