As part of a routine security audit, 4 High and 3 Medium vulnerabilities along with several minor vulnerabilities were discovered that affect all currently supported releases of gravity. Users are encouraged to upgrade to the following releases, in order to avoid the issues summarized below:
Public release of the security update is being held back to allow Enterprise customers to update their infrastructure. We will merge the fixes to the public Gravity repository on July 5th, 2019. This notice will be updated with the link to the complete set of findings and reproduction steps from the audit when the report is finalized.
Issues Addressed in this Release
Application Bundles Insecure Decompress (High)
The tele and gravity binaries have been shown to be vulnerable to path traversal attacks when interacting with gravity application archives from untrusted sources. An attacker controlled archive is able to trigger arbitrary writes to the filesystem.
Tele CLI Remote Code Execution via Malicious Auth Connector (High)
The tele binary was found to not sanitize auth connector URL's when interacting with an ops center, leading to arbitrary command execution on the host. This vulnerability occurs when logging into an ops center that is untrusted or has been compromised.
Missing ACLs in Authorization API Keys Management (High)
Any authorized user to a cluster is able to read / delete / create API keys for arbitrary users within the cluster, allowing for privilege escalation and impersonation of other users within the cluster.
Install Scripts Command Injection (Medium)
The curl | bash scripts used to install tele and tsh are susceptible to command injection, allowing a user to be social engineered into running attacker provided commands that appear to come from a trusted source.
2FA Bypass Through HTTP Basic Authentication (Medium)
When using locally configured users within gravity with 2FA enabled, API endpoints would authorize users with only a provided username and password. This only applies to the local database, and not when using external identity providers.
Cross-Site Scripting Via Content Sniffing on Internet Explorer (Medium)
Related to Install Scripts Command Injection browsers that perform content sniffing such as Internet Explorer, are susceptible to XSS attacks when directed to URLs within an ops center that allow for content injection.
Issues Not Addressed in this Release
Missing Signature Verification in Application Bundles (High)
The audit flagged the lack of cryptographic signatures and automatic verification of signatures by gravitational tools for managing generated applications and upgrades as below current industry standards.
Addressing the lack of cryptographic signatures for application bundles requires significant engineering effort, and an ETA to address this limitation isn't currently available.