fence_ipmilan exposes user password on verbose mode
Environment
- Red Hat Enterprise Virtualization Hypervisor (RHEV-H) 7.1
- Red Hat Enterprise Linux Server 7 (with the High Availability Add Ons)
fence-agents-all-4.0.11-11.el7_1.x86_64
Issue
- When the Power Management verbose mode is enabled from RHEV-M GUI, the user password is exposed in the
/var/log/messages
file.
Power Management verbose mode is enabled by settingverbose=yes
in the Option box. - When issuing
fence_ipmilan
command with the -v option, the user password is also exposed in the/var/log/messages
file.
Jul 3 08:29:46 rhevh-5 fence_ipmilan: Executing: /usr/bin/ipmitool -I lan -H rhevh-1 -U root -P PASS -p 623 -L ADMINISTRATOR chassis power status
Resolution
- This issue has been resolved with the errata RHBA-2015-2384 package(s)
fence-agents*-4.0.11-27.el7
or higher for the channel(s) RHEL HPC Node (v.7), RHEL Server (v.7), RHEL Workstation (v.7). The password is no longer included in the debug log.
Workaround:
- For RHEV-H do not to leave the Power Management verbose mode enabled from the RHEV-M GUI. Should be only enabled for troubleshooting purposes and disabled at other times.
- For Red Hat Enterprise Linux Server 7 (with the High Availability Add Ons) disable the verbose
attribute on the fencing agent.
Root Cause
The fence_ipmilan
invokes the ipmitool
command which exposes the information. This issue affects the following fencing agents:
fence_ipmilan
fence_ilo3
fence_ilo4
fence_imm
fence_idrac
BZ 1241648 has been opened to correct this behaviour.
Diagnostic Steps
From the /var/log/messages
file of the host.
Jul 3 08:29:46 rhevh-5 fence_ipmilan: Executing: /usr/bin/ipmitool -I lan -H rhevh-1 -U root -P PASS -p 623 -L ADMINISTRATOR chassis power status
This information is also propagated to vdsm.log
file however vdsm
API.py
doesn't expose the password information.
Thread-1461269::DEBUG::2015-07-03 08:29:49,391::utils::739::root::(execCmd) /usr/sbin/fence_ipmilan (cwd None)
Thread-1461269::DEBUG::2015-07-03 08:29:49,456::utils::759::root::(execCmd) FAILED: <err> = 'Executing: /usr/bin/ipmitool -I lanplus -H rhevh-1 -U ilopower -P PASS -p 623 -L USER chassis power status\n\n1 Error in open session response message : insufficient resources for session\n\nError: Unable to establish IPMI v2 / RMCP+ session\nUnable to get Chassis Power Status\n\n\nFailed: Unable to obtain correct plug status or plug is not available\n\n\n'; <rc> = 1
Thread-1461269::DEBUG::2015-07-03 08:29:49,456::API::1164::vds::(fence) rc 1 inp agent=fence_ipmilan
ipaddr=rhevh-1
login=ilopower
action=status
passwd=XXXX <<========
privlvl=user
power_wait=4
verbose=yes
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments