Active Directory admin password is stored in the config database
|Reported by:||m000||Owned by:|
|Keywords:||active directory, security||Cc:||mwallend@…|
After joining an Active Directory (AD) domain, the admin password entered in the web gui form is stored in the config database (/data/freenas-v1.db) in plaintext.
[root@zbox0] ~# /usr/local/bin/sqlite3 /data/freenas-v1.db SQLite version 220.127.116.11 2011-06-28 17:39:05 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> select ad_domainname, ad_adminpw from services_activedirectory; domain.com|DOMAIN_ADMIN_PASSWORD sqlite>
This could lead to a major security incident: An attacker successfully compromising the local root account of FreeNAS will also gain admin access to the AD, using the stored password.
Additionally, in deployments where AD is centrally and FreeNAS locally administered, it means that in order to enable AD authentication on FreeNAS the AD administrator will have to yield the AD admin password to all FreeNAS administrators. This would be simply unacceptable in most cases.
This problem can be fixed by serializing and storing the host credential files (secrets.tdb et al) in the database. This way the AD administrator password won't have to be stored.
Note: The serialization (base64 encoding) and storing of files in the database has already been implemented by ssh for making /etc/ssh/ssh_host_* files pesistent. It can be found in /etc/rc.d/sshd.