Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Concern: Missing Server Certificate Verification with X509 Certificates in Chaos Monkey #98

Open
nyxfqq opened this issue Jun 27, 2024 · 0 comments
Open

Security Concern: Missing Server Certificate Verification with X509 Certificates in Chaos Monkey #98

nyxfqq opened this issue Jun 27, 2024 · 0 comments

Comments

@nyxfqq
Copy link

nyxfqq commented Jun 27, 2024

Issue Description:

I've identified a security vulnerability within the Chaos Monkey project when utilizing X509 certificates for TLS connections. Specifically, the issue revolves around the lack of server certificate verification when establishing secure communication, potentially leaving the system susceptible to MITM (Man-In-The-Middle) attacks.

The problematic code resides in the getClientX509 function at github.com/Netflix/chaosmonkey/spinnaker/spinnaker.go:91. This function is designed to load X509 certificate and private key data to configure an http.Client for mutual TLS authentication. However, it inadvertently disables server certificate verification by setting InsecureSkipVerify: true within the tls.Config. Consequently, while the client is authenticated to the server, no reciprocal validation of the server’s identity occurs, violating a fundamental principle of secure communication.

Notably, this flaw is absent when using P12 certificates, where both ends of the connection seem to be appropriately verified.

Implications:

The current implementation can lead to severe security implications, particularly when executing sensitive operations like scheduling commands. The absence of server certificate validation means that the client may unknowingly communicate with rogue servers, exposing sensitive data and control flows to unauthorized parties.

Steps to Reproduce:

  1. Configure Chaos Monkey to utilize X509 certificates for Spinnaker interactions.
  2. Observe the initialization flow in github.com/Netflix/chaosmonkey/command/chaosmonkey.go, noting the execution path from loading configuration at line 208 to invoking spinnaker.NewFromConfig at line 224.
  3. Trace the logic into getClientX509, witnessing the insecure TLS configuration.

Proposed Solution:

  • Rectify the tls.Config in getClientX509 by removing InsecureSkipVerify: true to enforce server certificate verification as a default behavior.
  • Optionally, introduce a configurable flag to toggle certificate verification for scenarios requiring relaxed security measures, with a strong recommendation against its use in production environments.

Given the severity of the security risk involved, addressing this issue swiftly is imperative to uphold the robustness and trustworthiness of the Chaos Monkey tool and its deployments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nyxfqq