Five bad practices: use of default hard-coded passwords, MD5, binding to 0.0.0.0, keeping default user as admin, and use of empty passwords

[akondasif]

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of hard-coded passwords, which are against the best practices recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners. I suggest use of undef to mitigate this smell. Feedback is welcome.

Pull request: https://github.com/fuel-infra/puppet-manifests/pull/1

Source code reff: https://github.com/fuel-infra/puppet-manifests/blob/master/modules/lodgeit/manifests/web.pp

[akondasif]

I also noticed instances of MD5 usages in one of the Puppet scripts. MD5 is vulnerable to attacks, and should be avoided. The Common Weakness Enumeration organization recommends against usage of weak cryptographic algorithms such as MD5. Reff: https://cwe.mitre.org/data/definitions/327.html.

I suggest the use of SHA512 , which is more secure.

Any feedback is appreciated.

Source: https://github.com/fuel-infra/puppet-manifests/blob/master/modules/fuel_stats/manifests/db.pp

[akondasif]

I also noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

I suggest to use a dedicated IP address other than 0.0.0.0.

Source: https://github.com/fuel-infra/puppet-manifests/blob/master/modules/fuel_stats/manifests/db.pp

[akondasif]

Along with the three security smells, I noticed instances of keeping admin users as default in Puppet classes. I think this is a smell related to security. The smell can violate the ‘principle of least privilege (https://en.wikipedia.org/wiki/Principle_of_least_privilege)’ property, which recommends practitioners to design and implement system in a manner so that by default the least amount of access necessary is provided to any entity.

Would you agree with my finding?

Source: https://github.com/fuel-infra/puppet-manifests/blob/master/modules/fuel_project/manifests/mongodb.pp

[akondasif]

I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).

I suggest that to follow the strong password guidelines, and manage passwords with hiera.

Source: https://github.com/fuel-infra/puppet-manifests/blob/master/modules/jeepyb/manifests/openstackwatch.pp

[akondasif]

Corresponding pull request: https://github.com/fuel-infra/puppet-manifests/pull/1