Hi, As multiple security concerns appeared when performing the security review of this package, I had a discussion with Jean and Didier from the owning team. We concluded that reporting these issues before offering the final MIR report would be best. This is because no user is affected (as the package is still in beta), and transparency will catalyse the fixes.
The concerns found are as follows: 1. Insecure gRPC communication: Because [`insecure.NewCredentials()`](https://pkg.go.dev/google.golang.org/grpc@v1.62.0/ credentials/insecure) is used in `internal/controlstream/session.go`, the created gRPC connections are unencrypted and unauthenticated. A malicious unprivileged user could make the agent connect the host to a rogue Landscape server, leading to command execution. As discussed with Didier, encryption seems unfeasible due to Windows Defender. A mitigation here will involve authentication (possibly with certificates), ensuring that the communication of the Ubuntu agent will occur only with the trusted Windows service. 2. Information leak in the temporary Landscape configuration file: `/etc/landscape/client.conf.new` is a temporary file created by the Ubuntu service in `internal/system/landscape.go` to store the Landscape configuration. This file can also store sensitive information such as the account-wide registration key, `registration_key`. This could lead to auto-registration of any computer on the Landscape server. As a mitigation, the permission model could be adjusted so that only the Landscape client can read it, not any user. 3. Command execution inside the Windows host: In `internal/system/system.go`, all mounts are iterated and checked for communication with the 9P protocol (which is standard for the second version of WSL). These drives are checked with `s.findCmdExe()` to contain the `cmd.exe` executable. [As USB drives can be made visible inside the WSL instance](https://learn.microsoft.com/en-us/windows/wsl/connect-usb), it may be possible for a rogue `cmd.exe` executable file from a USB drive to be executed. As discussed with Jean and Didier, this assumption should be manually validated. 4. Crash when using IPv6 domain servers: When detecting the address of the Windows host, the agent checks if the NAT mode is used. If so, then the `/etc/resolv.conf` file is parsed in search of `nameserver` entries. If the entry is an IPv6 entry, the address will be concatenated with the port using the `Sprintf` function. The result of this concatenation is ambiguous because it's not using the `[<ip>]:<port>` IPv6 notation, further connections may crash. Please see [this](https://github.com/golang/go/issues/28308) proposed Golang vet check. Let me know if there is anything I can assist with in the meantime. Many thanks! ** Bug watch added: github.com/golang/go/issues #28308 https://github.com/golang/go/issues/28308 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
