Downloads and executes unauthenticated binaries about walinuxagent HOT 4 CLOSED

Thanks for reporting this. We are working on fixing this.

from walinuxagent.

Hi @waldiTM,

We have recently deployed secure transport for delivery of Virtual Machine Extensions. The newly deployed versions of Virtual Machine Extensions are delivered to the virtual machines over TLS (https). Over time, we will be fully transitioning to TLS.

From your example above, it appears like your virtual machine is running a 2.0 version of the LinuxDiagnostic extension. The latest version is 2.3.9. If you specify the extension as 2.* while you are deploying (or "autoUpgradeMinorVersion":true in ARM templates), the newer versions of the extension should be delivered via TLS to your VM.

Thanks for reporting the problem and sorry for the inconvenience.

from walinuxagent.

It must check the signature of the binary after downloading. Just using TLS is not adequate.

from walinuxagent.

@waldiTM Fair point. Currently, the storage medium providing the Virtual Machine Extension packages is the same highly-protected storage bucket providing the Virtual Machine Images as well. They are subject to the same security audits and scans.

The Virtual Machine Extension packages are published not only by Microsoft, but other approved independent software vendors (such as Chef, Puppet Labs, ESET) as well. This makes it somewhat challenging to get the right set of keys to the Virtual Machines.

While these are just technical challenges, Extension Signing is certainly on our list and we are hoping to come back and improve.

from walinuxagent.