Headline
CVE-2023-40354: [MXS-4681] Encrypted passwords are persisted in plaintext
An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a “maxctrl create service” command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.
Hi
adding a service in maxscale with dynamic change is necessary to add the user and password. Passing the Encrypted password to the command, end up to confirm the service has been created but the password on the /var/lib/maxscale/maxscale.cnf.d/Read-Service.cnf end up to show store as clear password.
maxctrl create service Read-Service readconnroute user=service_user password=2KVMANFl502A2398E42A8C670825770EED948CCBD764E1B67…
OK
cat Read-Service.cnf
[Read-Service]
router_options=slave
password=This_is_my_pwd_clear
router=readconnroute
type=service
user=service_user
So the encryption is already on. There are few things to clear and update on the documentation as well:
- can i pass the encrypted pwd ?
- can i pass the clear pwd?
- how maxscale undestant if the pwd i am passing is the encrypted or not
- for sure if the encrypted is on, the file should not store the clear password