fence_ipmilan exposes user password on verbose mode

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Virtualization Hypervisor (RHEV-H) 7.1
  • Red Hat Enterprise Linux Server 7 (with the High Availability Add Ons)
  • fence-agents-all-4.0.11-11.el7_1.x86_64

Issue

  • When the Power Management verbose mode is enabled from RHEV-M GUI, the user password is exposed in the /var/log/messages file.
    Power Management verbose mode is enabled by setting verbose=yes in the Option box.
  • When issuing fence_ipmilan command with the -v option, the user password is also exposed in the /var/log/messages file.
Jul  3 08:29:46  rhevh-5 fence_ipmilan: Executing: /usr/bin/ipmitool -I lan -H rhevh-1 -U root -P PASS -p 623 -L ADMINISTRATOR chassis power status

Resolution

  • This issue has been resolved with the errata RHBA-2015-2384 package(s) fence-agents*-4.0.11-27.el7 or higher for the channel(s) RHEL HPC Node (v.7), RHEL Server (v.7), RHEL Workstation (v.7). The password is no longer included in the debug log.

Workaround:
- For RHEV-H do not to leave the Power Management verbose mode enabled from the RHEV-M GUI. Should be only enabled for troubleshooting purposes and disabled at other times.
- For Red Hat Enterprise Linux Server 7 (with the High Availability Add Ons) disable the verbose attribute on the fencing agent.

Root Cause

The fence_ipmilan invokes the ipmitool command which exposes the information. This issue affects the following fencing agents:

  • fence_ipmilan
  • fence_ilo3
  • fence_ilo4
  • fence_imm
  • fence_idrac

BZ 1241648 has been opened to correct this behaviour.

Diagnostic Steps

From the /var/log/messages file of the host.

Jul  3 08:29:46  rhevh-5 fence_ipmilan: Executing: /usr/bin/ipmitool -I lan -H rhevh-1 -U root -P PASS -p 623 -L ADMINISTRATOR chassis power status

This information is also propagated to vdsm.log file however vdsm API.py doesn't expose the password information.

Thread-1461269::DEBUG::2015-07-03 08:29:49,391::utils::739::root::(execCmd) /usr/sbin/fence_ipmilan (cwd None)

Thread-1461269::DEBUG::2015-07-03 08:29:49,456::utils::759::root::(execCmd) FAILED: <err> = 'Executing: /usr/bin/ipmitool -I lanplus -H rhevh-1 -U ilopower -P PASS -p 623 -L USER chassis power status\n\n1  Error in open session response message : insufficient resources for session\n\nError: Unable to establish IPMI v2 / RMCP+ session\nUnable to get Chassis Power Status\n\n\nFailed: Unable to obtain correct plug status or plug is not available\n\n\n'; <rc> = 1

Thread-1461269::DEBUG::2015-07-03 08:29:49,456::API::1164::vds::(fence) rc 1 inp agent=fence_ipmilan
ipaddr=rhevh-1
login=ilopower
action=status
passwd=XXXX  <<========
privlvl=user
power_wait=4
verbose=yes

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments