#security (2023-11)

Archive: https://archive.sweetops.com/security/

2023-11-16

Alanis Swanepoel avatar
Alanis Swanepoel
Fortinet warns of critical command injection bug in FortiSIEMattachment image

Fortinet is alerting customers of a critical OS command injection vulnerability in FortiSIEM report server that could be exploited by remote, unauthenticated attackers to execute commands through specially crafted API requests.

Sean avatar

This would be great to have in SOPS. Makes the secret story much better to be able to encrypt for a recipient, without having access to their KMS.

This is a pattern we follow, so can’t adopt SOPS yet, to encrypt offline without touching the environment. It also allows developers, who do not have privileged access to production environments to pass us secrets for target systems.

https://github.com/getsops/sops/issues/684

#684 AWS KMS asymmetric key support

I’d like to be able to allow anyone to encrypt secrets to me; but only allow decryption through sops/KMS.
AWS support this with key_usage of ENCRYPT_DECRYPT. https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks

When I attempted to just use an RSA_4096 KMS key with sops I got:

Failed to call KMS encryption service: InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.

1
ag4ve.us avatar
ag4ve.us

I’m not discounting the feature but you know you can do that with pgp right?

#684 AWS KMS asymmetric key support

I’d like to be able to allow anyone to encrypt secrets to me; but only allow decryption through sops/KMS.
AWS support this with key_usage of ENCRYPT_DECRYPT. https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks

When I attempted to just use an RSA_4096 KMS key with sops I got:

Failed to call KMS encryption service: InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.

Sean avatar

Yes, But with pgp you lose the benefits of KMS. Such as auditing who decrypted a secret. And tying the decryption to the AWS APIs.

And pgp/gpg clients are dated, painful, obscure, … We know that all too well.

1

2023-11-17

2023-11-20

2023-11-30

Alanis Swanepoel avatar
Alanis Swanepoel

For anyone interested, I’ve just released a threat intel feed aggregator -dstif.io Feel free to add the rss feed to your own slack/discord/feeds (hint hint @Erik Osterman (Cloud Posse) )

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I’m just scouring things manually

    keyboard_arrow_up