Title
#core
zwass

zwass

01/31/2020, 12:40 AM
We could suggest providing a cert in the osquery configuration as a workaround. This would prevent the MITM attack that is possible due to the bug.
s

seph

01/31/2020, 2:14 AM
I’m not sure what you mean?
zwass

zwass

01/31/2020, 2:16 AM
As of now, if a cert is not specified, an attacker can use any cert that is trusted by the system root. The cert doesn't have to match the domain the agent is trying to connect to.
s

seph

01/31/2020, 2:17 AM
Right. I’m not sure what you mean by providing a cert.
2:17 AM
oh you’re suggesting people ship the cert and set the commandline/config to use it as a mitigation.
zwass

zwass

01/31/2020, 2:18 AM
Correct
s

seph

01/31/2020, 2:18 AM
--tls_server_certs
does seem like a reasonable mitigation.
Jams

Jams

01/31/2020, 4:46 PM
What mitigation do you recommend for osquery agents communicating with an AWS endpoint and managed certs by Amazon?
zwass

zwass

01/31/2020, 4:47 PM
Can you download the cert chain and provide it to
--tls_server_certs
?
Jams

Jams

01/31/2020, 4:52 PM
I’ll take a look.