Bug #14772
open
PFsense Plus doesn't work with AWS new Instance Metadata Service (IMDSv2)
0%
Description
AWS has an updated version of their metadata service (IMDS) that is designed to add some defense-in-depth (see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ for details).
PFsense Plus is using the older IMDSv1 instead of IMDSv2. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html for more details on how to make the call to get userdata using IMDSv2
I think that you could add support for IMDSv2 by updating the retrieveMetaData function in /usr/local/sbin/ec2_setup.php. If you retrieve the token first, you can then use that token to get the requested info. Here is what I think the function should be:
function retrieveMetaData($url) {
if (!$url)
return;
$curl = curl_init();
/* first get the instance token which we will use to
authenticate the subsequent call */
$token_url = "http://169.254.169.254/latest/api/token";
$headers = array (
'X-aws-ec2-metadata-token-ttl-seconds: 10' );
curl_setopt($curl, CURLOPT_URL, $token_url);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers );
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true );
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "PUT" );
curl_setopt($curl, CURLOPT_FAILONERROR, true);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
$token = curl_exec($curl);
/* now build the 'real' request and send it along with the
token for authentication */
$headers = array (
'X-aws-ec2-metadata-token: '.$token );
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers );
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true );
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "GET" );
curl_setopt($curl, CURLOPT_FAILONERROR, true);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
$metadata = curl_exec($curl);
curl_close($curl);
return($metadata);
}
n.b. I haven't taken the time to try and build a fresh ami in AWS, so I may have some syntax wrong!
Files
Updated by Reid Linnemann 4 months ago
- Category changed from Installer to Unknown
- Assignee set to Reid Linnemann
Changing from installer category as it isn't related to the installer
Updated by Reid Linnemann 3 months ago
- Target version set to Plus-Next
I actually implemented a simple IMDSv2 client for plus' HA support, I'll work on getting the ec2 setup to use it.
Updated by Reid Linnemann 6 days ago
- Status changed from New to Feedback
- Target version changed from Plus-Next to 25.11
I've retooled the ec2 setup package to use the IMDSv2 client as of change 5156fbb5, this will be available in the next 25.11-devel build.
Updated by Cameron Epp 6 days ago
That sounds great Reid - thank you for working on it!
Updated by Reid Linnemann 3 days ago
Cameron Epp wrote in #note-4:
That sounds great Reid - thank you for working on it!
My pleasure! I'll leave this issue in feedback status, if you don't mind confirming it works when you upgrade to 25.11 that would be great.