On June 14th, Progress Software announced the release of Chef Infra Server 15.7. The release includes additional platform support and resolves several OpenJDK CVEs by bundling a new release of OpenJDK. However, a minor yet significant detail might have been overlooked – the resolution of CVE-2023-28864.
At the time of the announcement, an embargo had kept the CVE details hidden on the MITRE CVE page. Now that the embargo has been lifted, we disclose that CVE-2023-28864 is a CVE within Chef Infra Server 12.0-15.6. It has potential to expose sensitive Chef Infra node data to an unprivileged local user.
Understanding the impact
Chef Infra Server, as a configuration management tool, lies at the heart of your infrastructure. It indexes data across all systems under management. This indexed data can be as harmless as CPU counts or as sensitive as usernames and passwords stored within node attributes.
All node data collected by Chef Infra’s Ohai asset inventory system or set as node attributes are returned to the Chef Infra Server for indexing. The data is then stored in either an embedded Opensearch/Elasticsearch (depending on the release) database or externally in cloud provider equivalents.
Database credentials are stored in a secured configuration file. However, flaws exist in how this configuration file is handled. When an administrator configures Chef Infra Server, they must run the chef-server-ctl reconfigure command to apply these settings. As part of the execution of this command, any changed configuration files, including the one containing the OpenSearch/Elasticsearch credentials, are backed up into a world-readable backup directory.
A non-privileged local user could read these credentials from the backup directory. With the credentials, they could extract and decode node data from the OpenSearch/Elasticsearch database. This could potentially expose sensitive infrastructure configuration data to attackers, including the credentials for additional internal and external systems.
Steps for remediation
Chef Infra Server 15.7 improved the security of the backup directory to prevent non-privileged users from reading sensitive configuration data. The best possible remediation step is to immediately upgrade to Chef Infra Server 15.7 or later. This will not only resolve CVE-2023-28864, but also ensure that you are protected against other CVEs in bundled 3rd party components. See Chef Infra Server release announcements for more details on these CVEs.
If upgrading your Chef Infra Server is not feasible due to licensing or downtime concerns, you can still protect your system against local attacks by manually securing the backups directory:
bash chmod 600 /var/opt/opscode/local-mode-cache/backupDetect if you are vulnerable with cnspec
Determining when systems have been manually remediated and when the correct patch releases have been applied can be challenging. We’ve developed Mondoo security policies for Chef Infra Server and Chef Infra Client to assist with this. These policies allow continuous and agentless evaluation of your Chef Infra Server and Client installations’ security, helping to keep your infrastructure secure.
Locally evaluate Chef Infra Server against CVE-2023-28864:
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
curl https://raw.githubusercontent.com/mondoohq/cnspec-policies/main/community/chef-infra-server.mql.yaml --output chef-infra-server.mql.yaml
sudo cnspec scan local --policy-bundle chef-infra-server.mql.yaml --share
Don’t want to install agents on your server? You can remotely evaluate Chef Infra Server using cnspec from your local workstation:
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
curl https://raw.githubusercontent.com/mondoohq/cnspec-policies/main/community/chef-infra-server.mql.yaml --output chef-infra-server.mql.yaml
cnspec scan ssh USER@IP_OR_FQDN_OF_CHEF_SERVER -i SSH_PEM_FILE.pem --sudo --policy-bundle chef-infra-server.mql.yaml --share
Secure Your Digital Infrastructure Today
Don't leave your systems exposed to threats like CVE-2023-28864. With our open-source solution, cnspec, you can effectively detect and address these vulnerabilities.
Head to our GitHub page to download cnspec and run the Chef Infra Client and Chef Infra Server policies today.
