Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29186

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck’s main branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files.

CVE
Open in Source
#vulnerability#web#debian#js#auth#ssh#rpm#docker#sap

Package

docker rundeck/rundeck, rundeckpro/enterprise (docker )

Impact

Rundeck Community and Rundeck Enterprise Docker images contained a pre-generated SSH key pair. If the id_rsa.pub public key of the key pair was copied to authorized_keys files on remote hosts, those hosts would allow access to anyone with the exposed private key.

This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host.

Patches

Rundeck 4.1.0 has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

  • Do not use any pre-existing public key file from the Rundeck Docker images. Always generate a new SSH key and select ‘yes’ if prompted to overwrite.
  • If the public key file included in the Docker image may have been used to configure node access, search the authorized_keys files for any of the keys listed below.

References

Are there any links users can visit to find out more?

  • Rundeck key pair support article

For more information

If you have any questions or comments about this advisory:

  • Open an issue in our forums
  • Download the key search script

Public Keys

IDs

rundeck@435cc7c0ec97
rundeck@a9408cab34cf
rundeck@d39a9897de35
rundeck@553322682a1d
rundeck@7ff0495cadf8
rundeck@0a88c2cee02f
rundeck@6ce6a554d02b
rundeck@buildkitsandbox

Full List

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9Vvytjg2zM7qJKCITFSqTx4IXmo+jamSFas9disxhluG59MqE0EUpYoKeFBmbNtvjkhsV4GaKWuE1vFJTei6DKcKf8Nj9u9Up6B9lktUZdqJcldYJ6mwVOqGD5a+TLZ+noMy38ud6wXJPlZ9R/GYaOMe76MiEFANykjJcG7kLehgx3JSEW1+o80wV+lXKFM2pkc/dMLWXIwvavqNQZ58untU/X20d89415PwPQl+dIEsRVlbMpfubGGH/p/TwkKHwZBBsrdt9Xgqb7fjGZmMIYvdHRMxyuZHTUhADWMhrqkkefDHssTJJ4e/FnbhWAs7avP2SJ+z3UezCkxyO2iqT rundeck@435cc7c0ec97
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqSAVtpsWY9QMGPXMY84rlkiyqLp1br36SnSikU/hfS447J4H6opA31LjGcHOIMojvcUFsR+QFqODvVsTnFQoDtSXRi2EKFWZuIpuGZByym6hNIEE7Ol+ptLiv+LGF/ZAc9bdeETjSdjJcbhoDo2ip7upX2/L2tYXdRNjlu4UJS7PADvdI+ggsIPIY+lp3peQ7NAB8r1nVXKaQcoashFRVhooDVLLMz7yvx3lBqenWGa3ZMQ8WyVCqIwuQNAkmCZU5HbwUGnkg78C40mjoldT3GyP1mNWN7IijxUlQcqnZrAybtNoCabJd47BzFa0PC7n5P/OTrWdi+G2DHM5nBLSj rundeck@a9408cab34cf
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw28Z4V+jXiDRgRpPeNEi+RyoDltXUVetcSDWVQrHLVOnq4Fxmosq1r1az/eZx0Z4uRfxDFFRjfL0mI8NLPvRebDt6DAfwCgJYZDhxyQdNJByix0/hX6DA/iL2cXPJUQvyF1vegNZd2irBbwQiep/DIxz77uZT/pzPY+/1M5omGkFWt/YyXW/LJExtn7BtqgYcccLibv9A8a3zC8h6OOkqhlieBKeU5bkLcD/YMP5q+GXmhlMiCZUFOq92gk/SeueqOaAOmjSW4rHxR1WFN9WTJHrkc6g4i5N+q2uFb0/me7+1Hkty1oK54+CMZ7k/oGjpjONDAH3lGsTUYGy+k/3P rundeck@d39a9897de35
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDATDA01TrPie2iL2F/HMjDRlIkofIJcRVYXsCBOvkiBQagCMBmpsdHpDGwDXDocphM3lNBxXaucAuYWKoO9ZeAdQMNo4+BQHtSrjA5D547BknN5S7XQCG8C8rKw88Y+71Q3DeIXDDR1SvKYgBz6BHHjxfjKYf+1wDcTBdEJ4RBoiJ+nhIZOSqt2hEXdKqEjBRrELrr8xZfjZ+epquAQ0UwVUzzdOJ86mxkzbqJbK8wKVDgxaQi6feIyazlYsKr90vKQVqQ4UOGyrVGGEZx509mGSTdtVjZ4VOCrRg8fzeHP9SXYXARQATnH6cMVEtOoPIrsivMO87c8D85tcMLJPlF rundeck@553322682a1d
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZvpSpmukKKvi/fwRHsqksAEaNfz3SkYR6q5T1SisoWH00S/ukQ3Imo6zjFpPmF8IIApME/5sov3y1vJNdm44ket5wOjawjerQzcNy8Csm0gRgtey1kDOtI/FdhLq+pcjGewz1nfLj9cair/zaaH3mRmmUl/rrgqpFDnrvxxI16Hi1HmOVvgCd57UG7uIBCjKIO7k8AjZU8E3N5X52gIq7Fv+srvhLnP/D2MPLfn8D7j2QY23idgSY2fODgpFoF/dK4+HrOXBmx8nGOcgqMl5hb4X7XX/JWk8+h9nAE9q6m1ndOnYYMhqHP7omhmgaSx4g0cm3qOIyXtti3bOj9s2r rundeck@7ff0495cadf8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf/tHMlrlpHUyYA7nUz+GIZeaxjwa/L485jr32wDg7OMNr+EEmYrLQXOtLN4PSHd4fJXHX1W5NpImJYEcmmwDD4TekST9fLZ7/qKKqhvihj1uYNIQxmLKLtwzdLCIGCBYUtCMKa/59MKx+xkX+4899DZKWSxdJU12ZksQ8q2tRynrzYU7bSk6LGkGDTSTlPgdjhib78mQTccgGj4Ld1ERZsFtrKsSpG6a1/utDS6chjP9+hvsapcMjNJ3rH+sRjfrpE6pL8sFxseR5iMMLzlI0Mu5zvYuqpuXY2O9HFdCRJoEqV0e+CT/fYzxJR1wv3PWaMvcG3xwWstU2V8uWETRv rundeck@0a88c2cee02f
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiX3h/kCWAInCyup8P8Bw2982L/eE30Pz1Jrd/7K5Tt1BQxQZiGbu7H0/r0yXdaI5cHEfU5zpDtx1LbjXh/iM5A06uQQ92se9MX6Gf3oSGkXvN5es4Sz0B5Cs4NjDd+hWNVYpE4H/88Qs6I922hZsraXoRO1CDVcuLvp/SF+n2tt1RqAoPBy1kWrDbeoVbaiV/0Uayzs/FmMbP6bX7nYutFzi/l7Bwmjv2/mdlqv3Uxqj0Wc3VvCtjg2inlQXqOT/A247Xxzaw/XJcP4mX/qHQZ+PgMJtFqYI5QNka40ux03XGKNrqyjfeR0rRS+P7ipMBn0/dNCytZox0Unk2Cjc/ rundeck@6ce6a554d02b
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuSFUAy3CUa+UoKJG5bZQBrxr/FEantBVeuAhb+FyDlenKKojRDRAGZugtW/jOh5E0f+37DPGbyncschLe42lf8gL1eUULRg2YkpuZXsTX7cWpVZH4c4i5vE3IoYi1tzGTF47XckUnNMZ+o6QYfJfAmTQGiqKDdf5HfE3kgvuVmASOfY1LQRmBYGNjskAx1E/JButYzrISvWuYdFbAxTZ/oLz4GATcJvPD00i9yyxrUXxsz7TWurzDEQpGZ480qcFMdV09Mu9htz4OVcjDcM+kWaXoert7l6pVvaJIIuUkwCwlweR1k/G4s0wGLt3mhDLTyDvJ1tchawynJZNqfw2mL1tdvGwrQQ5yGxVswHftwHNqRar8TSltqHHL41EXYtVfip2YMByhqdGhbVKpbkf85E9zJR25/EXUZFY2+G/KZyVTdS3ajbM1Pr9hlRbAJFkBGkQBNYHvxs/RDlgX4H9WpLufD8EOZCDrFbfw2spEQgqBZ7do5L4vGQRGjuP388k= rundeck@buildkitsandbox

Credit

Thank you to Paul Calabro (@paulcalabro) for reporting this.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE