Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40050: Profiles

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

CVE
#sql#ubuntu#rce#auth#postgres

Overview

Compliance profiles help you secure your infrastructure continuously. Chef Automate compliance profiles translate CIS Benchmarks and other security standards into easily readable policy. You can install and download one of our 300+ ready-to-use compliance profiles from Profiles, or upload your custom profiles.

Using Profiles

Navigate to compliance profiles by selecting the Compliance tab and then selecting the Profiles page, or by heading to https://automate.example.com/compliance/compliance-profiles.

Profiles has a search bar and two views: the Profiles page, which displays the profiles you’ve installed in your unique namespace within Chef Automate, and the Available page, which displays all of the ready-to-use compliance profiles in Chef Automate.

Installing Profiles

Locate profiles by browsing the list, or by using the search bar. To install a compliance profile into your namespace, simply select Get on the right side of the profile name.

Download compliance profiles to your workstation for use with Scan Jobs and the Audit Cookbook, or as a basis for your own customizations. Start by selecting the arrow on the far right side of the profile, which redirects you to the Profile Details view. Select the download button on the upper right corner of the profile description and download your selected profile as a tarball compressed with gzip (’.tar.gz’).

Uploading profiles

Upload Any InSpec2 compatible profile–including inherited profiles–to Chef Automate with the upload button on the Profiles page. Uploads use either the .tar.gz or zip archive file formats.

All profiles are stored in PostgreSQL, and are covered by backup and restore functionality.

Note

All profiles should have a valid version in their inspec.yml. Older builds of Chef Automate require at least three elements of the x.y.z form – for example, “1.2.0” – and optionally can have one additional element, such as “1.2.0-20”. Newer Chef Automate builds allow both two-element and three-element profile versions.

Updating profiles

New releases of profiles are shipped with the product when available. Chef ships only the latest versions of profiles. When Chef publishes a newer profile version that a user has installed to their namespace, a small notification appears, prompting the user to download the newest version. Installing the newest version adds the updated profile to the user namespace, but it does not overwrite an existing profile. You can keep multiple versions of a profile and it is up to you to curate your installed profiles.

Understanding Profiles

The Profile Details page appearance varies, depending on if a profile is installed or not. You can Get or Download uninstalled profiles from the details page of an uninstalled profile. You can Download or Delete a profile from the page of an installed profile. Deleting a profile removes it from the profiles collection in your namespace, but it remains available in Profiles. Installed or uninstalled, a profile’s header and body contains important information.

The profile header displays the profile title, a brief description and Get and Delete buttons. If you have installed the profile, and Get or Download button if the profile is available but not installed in your unique namespace. In either case, the profile header displays a status box detailing the:

Status

Installed or uninstalled

Version

The version number of the profile, which changes with updates

Author

The organization responsible for composing and updating the profile

License

Restrictions on the profile’s re-use.

Installed profiles display a cURL command for an ad-hoc profile run.

Profile Body

A profile is made up of a series of controls, which are listed in the Profile Detail’s body. Each control has one or more InSpec tests. The control table shows the number and names of controls in the profile, as well as the:

Total tests

the number of tests in the control

Severity

The impact of a control, from 0 to 1. See the Chef InSpec documentation for more information about the severity measure

Selecting the shaded area next to the control name or the + on the right side expands the control to show a more detailed description. Selecting View Code displays the control’s InSpec code.

About the Profile Identifier

The profile identifier is composed of the user’s username and the profile name, found in the installed profiles list at https://automate.example.com/profiles. Use this identifier when specifying profiles for the audit cookbook as well as specifying profiles through the InSpec CLI.

Note

The identifier is mapped to user’s username. This is only guaranteed to be unique for a user group, either local or saml. Users in a Chef Automate instance with the same username in both saml and local groups have access to each other’s profiles.

Interacting with Chef Automate Profiles

You can interact with Chef Automate Profiles from the command line, as well as from the user interface. For more information, see the InSpec CLI subcommand.

API Calls

We’ve provided you with some essential cURL commands for interacting with Chef Automate Profiles. In these examples, the owner is same value as first part of identifier, as discussed in About the Profile Identifier.

Get All Installed Profiles

curl --insecure -H "X-Data-Collector-Token: token-value" https://automate.example.com/api/v0/compliance/profiles/search -d '{"owner": "test"}'

Get All Available Profiles

curl --insecure -H "X-Data-Collector-Token: token-value" https://automate.example.com/api/v0/compliance/profiles/search -d '{}'

Download .tar

curl --insecure -H "x-data-collector-token: token-val" https://automate.example.com/api/v0/compliance/profiles/tar -d '{"name":"cis-aix-5.3-6.1-level1","owner":"admin","version":"1.1.0-3"}'

Upload tar

curl --insecure -F file=@cis-ubuntu12_04lts-level1-1.1.0-2.tar.gz -H "x-data-collector-token: token-val"  https://automate.example.com/api/v0/compliance/profiles?owner=admin

How can we improve this document?

Thank you for your feedback!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907