Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
z
zwass
01/31/2020, 12:40 AMWe could suggest providing a cert in the osquery configuration as a workaround. This would prevent the MITM attack that is possible due to the bug.
s
seph
01/31/2020, 2:14 AMI’m not sure what you mean?
z
zwass
01/31/2020, 2:16 AMAs of now, if a cert is not specified, an attacker can use any cert that is trusted by the system root. The cert doesn't have to match the domain the agent is trying to connect to.
s
seph
01/31/2020, 2:17 AMRight. I’m not sure what you mean by providing a cert.
oh you’re suggesting people ship the cert and set the commandline/config to use it as a mitigation.
z
zwass
01/31/2020, 2:18 AMCorrect
s
seph
01/31/2020, 2:18 AM--tls_server_certsj
Jams
01/31/2020, 4:46 PMWhat mitigation do you recommend for osquery agents communicating with an AWS endpoint and managed certs by Amazon?
z
zwass
01/31/2020, 4:47 PMCan you download the cert chain and provide it to
--tls_server_certsj
Jams
01/31/2020, 4:52 PMI’ll take a look.