search

opencomputeproject / HWMgmt-DeviceMgr-DeviceManager

Device Manager collects device data and notifications from each device, and make the data available on a predetermined output bus for consumers.
Apache License 2.0
23 stars 12 forks source link

Hard coded certificate copied into container by Dockerfile could lead to decryption of data by unauthorized network adversary #29

Closed huornlmj closed 1 year ago

huornlmj commented 1 year ago

https://github.com/opencomputeproject/HWMgmt-DeviceMgr-DeviceManager/blob/b68d37cccc7503cef47b0940ad8bcf72f155b69b/device_key/https-server.key#L4

Hi. There is a hard coded private key here that is copied into the running container in the Dockerfile https://github.com/opencomputeproject/HWMgmt-DeviceMgr-DeviceManager/blob/main/docker/Dockerfile#L27. If this container is used as-is then a network adversary can sniff the traffic and decrypt the data wherever this is deployed, as the private key is available to anyone who has access to the repo.

This is CWE-321: Use of Hard-coded Cryptographic Key.

jcleung5549 commented 1 year ago

The intent of the docker files is to more easily deploy the entire virtual topology (Device Manager, SW Agents, etc.) to show how the entire architecture works. In an actual datacenter, it is expected that the DC will have its own deployment process.

MaciejMis commented 1 year ago

This was fixed with #52