Public bug reported: URL: https://github.com/Azure/GuestProxyAgent/ License: MIT Notes: The GuestProxyAgent (GPA) enhances the security of Azure Instance Metadata Service (IMDS) and Azure Wireserver endpoints (e.g., 169.254.169.254 and 168.63.129.16) on Azure IaaS virtual machines. It introduces strong authentication and authorization measures to mitigate common attacks such as confused deputy (e.g., SSRF) and sandbox escapes that target metadata services.
GPA intercepts HTTP requests to these endpoints using eBPF, allowing it to verify the identity of in-guest processes. By transitioning from a default-open to a default-closed access model, GPA ensures that only authorized processes (as defined by a trusted delegate established at provisioning) can retrieve sensitive metadata. Requests must include an HMAC-based signature generated with a long-lived secret negotiated during setup, reinforcing the point-to-point trust relationship. Test builds are available from ppa:gjolly/azure-proxy-agent (https://launchpad.net/~gjolly/+archive/ubuntu/azure-proxy-agent) ** Affects: ubuntu Importance: Undecided Status: New ** Tags: needs-packaging ** Description changed: URL: https://github.com/Azure/GuestProxyAgent/ License: MIT Notes: - The GuestProxyAgent (GPA) enhances the security of Azure Instance Metadata Service (IMDS) - and Azure Wireserver endpoints (e.g., 169.254.169.254 and 168.63.129.16) on Azure IaaS virtual - machines. It introduces strong authentication and authorization measures to mitigate - common attacks such as confused deputy (e.g., SSRF) and sandbox escapes that target metadata services. + The GuestProxyAgent (GPA) enhances the security of Azure Instance Metadata Service (IMDS) and Azure Wireserver endpoints (e.g., 169.254.169.254 and 168.63.129.16) on Azure IaaS virtual machines. It introduces strong authentication and authorization measures to mitigate common attacks such as confused deputy (e.g., SSRF) and sandbox escapes that target metadata services. - GPA intercepts HTTP requests to these endpoints using eBPF, allowing it to verify the identity of - in-guest processes. By transitioning from a default-open to a default-closed access model, GPA - ensures that only authorized processes (as defined by a trusted delegate established at provisioning) - can retrieve sensitive metadata. Requests must include an HMAC-based signature generated with a - long-lived secret negotiated during setup, reinforcing the point-to-point trust relationship. + GPA intercepts HTTP requests to these endpoints using eBPF, allowing it + to verify the identity of in-guest processes. By transitioning from a + default-open to a default-closed access model, GPA ensures that only + authorized processes (as defined by a trusted delegate established at + provisioning) can retrieve sensitive metadata. Requests must include an + HMAC-based signature generated with a long-lived secret negotiated + during setup, reinforcing the point-to-point trust relationship. Test builds are available from ppa:gjolly/azure-proxy-agent (https://launchpad.net/~gjolly/+archive/ubuntu/azure-proxy-agent) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2098393 Title: [needs-package] azure-proxy-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2098393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
