- 26 May 2023
-
DarkLight
-
PDF
Script to Generate a Hashed Server_Id
- Updated on 26 May 2023
-
DarkLight
-
PDF
Script to Generate a Hashed Server_Id
In a security review of the Itential platform, a vulnerability to exposing MAC addresses was discovered with the public Status API and SystemId API calls, and with the Workflow Engine (WFE) task metrics. As it turned out, the server_id that was exposed in the APIs and WFE contained the MAC address. To guard against this vulnerability, hashing was implemented for the server_id platform-wide, including authenticated calls; however, a method to identify the hashed server_id and MAC address was still needed for troubleshooting anytime a task crashed or failed to run.
To relate the hashed server_id and MAC address, yet still maintain security protocol and cryptographic function, use the following script to generate (print) the hash locally for your environment. This is a basic Node.js script with no prerequisites or locations to run, other than node. The instructions to run are in the script comments, and the output can be provided, as needed, to the Itential Service Desk when troubleshooting requests are opened.
Script
// Computes sha256 hashId of new IAP serverId format given a valid serverId of the old format as the only argument to the script
// Example usage: run "node hashId.js 14:7d:da:d6:27:2e:3000". Console Output: Created sha256 Hash in new IAP serverId hashed format: 95560d460d09c3466dc26ed61f84154516c44a2766dfcca3fdb65e3bc0765b4d
const { createHash } = require('crypto');
const [serverIdToHash] = process.argv.slice(2);
if (!serverIdToHash || !serverIdToHash.match(/^([A-Fa-f0-9]{2}[:]){6}\d+$/)) {
console.log('First input argument must be a valid serverId of the old format. Example: 14:7d:da:d6:27:2e:3000.')
} else {
console.log('Created sha256 Hash in new IAP serverId hashed format: ', createHash('sha256').update(serverIdToHash).digest('hex'));
}