Infrastructure as Code

Chef Infra Server CVE-2023-28864 Impact and Remediation

On June 14th, Progress Software announced the release of Chef Infra Server 15.7. The release includes additional platform support and resolves several OpenJDK CVEs by bundling a new release of OpenJDK. However, a minor yet significant detail might have been overlooked – the resolution of CVE-2023-28864.

At the time of the announcement, an embargo had kept the CVE details hidden on the MITRE CVE page. Now that the embargo has been lifted, we disclose that CVE-2023-28864 is a CVE within Chef Infra Server 12.0-15.6. It has potential to expose sensitive Chef Infra node data to an unprivileged local user.

Understanding the impact

Chef Infra Server, as a configuration management tool, lies at the heart of your infrastructure. It indexes data across all systems under management. This indexed data can be as harmless as CPU counts or as sensitive as usernames and passwords stored within node attributes.

All node data collected by Chef Infra’s Ohai asset inventory system or set as node attributes are returned to the Chef Infra Server for indexing. The data is then stored in either an embedded Opensearch/Elasticsearch (depending on the release) database or externally in cloud provider equivalents.

Database credentials are stored in a secured configuration file. However, flaws exist in how this configuration file is handled. When an administrator configures Chef Infra Server, they must run the chef-server-ctl reconfigure command to apply these settings. As part of the execution of this command, any changed configuration files, including the one containing the OpenSearch/Elasticsearch credentials, are backed up into a world-readable backup directory.

A non-privileged local user could read these credentials from the backup directory. With the credentials, they could extract and decode node data from the OpenSearch/Elasticsearch database. This could potentially expose sensitive infrastructure configuration data to attackers, including the credentials for additional internal and external systems.

Steps for remediation

Chef Infra Server 15.7 improved the security of the backup directory to prevent non-privileged users from reading sensitive configuration data. The best possible remediation step is to immediately upgrade to Chef Infra Server 15.7 or later. This will not only resolve CVE-2023-28864, but also ensure that you are protected against other CVEs in bundled 3rd party components. See Chef Infra Server release announcements for more details on these CVEs.

If upgrading your Chef Infra Server is not feasible due to licensing or downtime concerns, you can still protect your system against local attacks by manually securing the backups directory:

bash chmod 600 /var/opt/opscode/local-mode-cache/backup

Copy

Detect if you are vulnerable with cnspec

Determining when systems have been manually remediated and when the correct patch releases have been applied can be challenging. We’ve developed Mondoo security policies for Chef Infra Server and Chef Infra Client to assist with this. These policies allow continuous and agentless evaluation of your Chef Infra Server and Client installations’ security, helping to keep your infrastructure secure.

Locally evaluate Chef Infra Server against CVE-2023-28864:


bash chmod 600 /var/opt/opscode/local-mode-cache/backup


Chef Infra Server

Don’t want to install agents on your server? You can remotely evaluate Chef Infra Server using cnspec from your local workstation:


bash -c "$(curl -sSL https://install.mondoo.com/sh)"
curl https://raw.githubusercontent.com/mondoohq/cnspec-policies/main/community/chef-infra-server.mql.yaml --output chef-infra-server.mql.yaml
sudo cnspec scan local --policy-bundle chef-infra-server.mql.yaml --share

Find and fix the security risks that pose the biggest threat to your business.

Secure Your Digital Infrastructure Today

Don't leave your systems exposed to threats like CVE-2023-28864. With our open-source solution, cnspec, you can effectively detect and address these vulnerabilities.

Head to our GitHub page to download cnspec and run the Chef Infra Client and Chef Infra Server policies today.

Tim Smith

Tim Smith is a Product Manager at Mondoo. He’s been working in web operations and software development roles since 2007 and port scanning class As since 1994. He downloaded his first Linux distro on a 14.4 modem. Tim most recently held positions at Limelight Networks, Cozy Co, and Chef Software.

You might also like

Releases
Mondoo November 2024 Release Highlights
Overview of Changes and New Security Features in Windows Server 2025
Releases
Mondoo October 2024 Release Highlights