CVE-2024-RKN0002¶
Security (Machine Token Privileges Too Broad)
Summary¶
Digital Rebar Machine Tokens contain too many privileges that can be used to escalate into accessing passwords and/or admin level activities. Normally, the machine token is stored in a restricted area on the machine. If this is compromised or generated incorrectly, the token can be used inappropriately.
Technical Details¶
Prior to v4.14, the system generated a Machine token for each machine and a Create token. The Create token enabled the creation of a machine and then the machine token allowed for the processing of jobs. These tokens have more capability than they strictly need. Through various processes, these tokens and open filesystem access of an installed system, could eventually grant access to passwords and adminsitrative actions.
To fix this, a new type of token is introduced, the Job token. This is only available when a machine has a task to run. The token is only sent on a specific API call and the token is a short duration token. This token is not stored and is in memory only for the task execution.
The other two token types, create and machine, are restricted to creating empty machines and asking for jobs, respectively. This prevents machines from being created or updated into giving credentials.
While these tokens should be managed and not shared, they are less effective if lost.
Additional recommendations to reduce security surface areas are described below.
Recommendations¶
Upgrade to the latest v4.14 or beyond. Upon upgrade, the system will generate Machine tokens and Create tokens that have much more limited scope. Newly provisioned machines or processes retrieving the Create token will use the restricted tokens.
Once the upgrade is complete, where possile, have the machines run the rotate_token workflow. This will rotate the
token into a more restricted token. This only needs to be run once per machine.
Additionally, ensure that the machines are in workorder mode or have a minimal workflow, universal-complete, as the last workflow once
operations are complete.
Additionally, network separation and firewall rules when possible to restrict access to the provisioning ports, default tcp/8090 and tcp/8091.
See Security Guide for more recommendations and token information. See Machine Token Update for more release details.
Affected Versions¶
| Affected Versions | Fixed Version |
|---|---|
| All prior to v4.14 | v4.14 |