freebsd security - May 2015 - Forums.FreeBSD.org - SSL Issue?

On Mon, May 18, 2015, at 12:34, Dan Lukes wrote:
> On 05/18/15 15:52, Mark Felder:
> > I mean, should we have an SA because our libc supports strcpy and
people
> > can use that and create severe vulnerabilities?
> 
> No, but we should have SA whenever other system component is using 
> strcpy() the way that may affect system security.
> 
> System utility 'fetch' is willing negotiate known-to-be-insecure 
> protocol with no warning and by default. Sensitive user's data may be 
> transferred by base system utility via insecure protocol. I consider it 
> bug in fetch code. A system utility must not allow silent transfer of 
> data via known insecure protocol if secure transfer has been requested.
> 
> I see no reason to keep the issue in the dark, even in the case the 
> issue will not be patched on 8-R & 9-R. OK, I'm former bank IT
security
> officer, so I my expectations related to handling of security issues may 
> be set so high.
> 
> It seems there is nothing more to say about this (slightly off-)topic. I 
> wish the vulnerability should be disclosed to public, you wish it is not 
> necessary because it's known bug in a protocol design and users
doesn't
> expect secure channel from 'fetch'.
> 
> Two men, two opinions. It's not necessary to reach consent.
> 
> Thank you for all comments and responses.
> 
> Dan
> 
Fetch also doesn't have a certificate trust store out of the box. It's
very dependent on the sysadmin to make good decisions. Much like Apache
with mod_ssl will *accept* connections on SSLv3 unless you manually
configure the protocols.

FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this
behavior in fetch. If you add this to your base system image you can
lock this down pretty reliably.

Keep in mind that changing this default behavior in fetch would be a
POLA violation and possibly break scripts for countless users.
Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't
decide. :-(

On 05/18/15 20:04, Mark Felder:
> Fetch also doesn't have a certificate trust store out of the box.
fetch (nor SSL protocol itself) claim there is one here
> FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this
> behavior in fetch. If you add this to your base system image you can
> lock this down pretty reliably.
I'm not using fetch for transfer of secure data at all. But yes, the 
countermeasures you described can be part of SA I'm calling for.
> Keep in mind that changing this default behavior in fetch would be a
> POLA violation and possibly break scripts for countless users.
> Comparatively, is the forums HTTPS also a POLA violation? Maybe! I
can't
> decide. :-(
If I will be called to decide between POLA to be violated and security 
to be violated, I will vote for POLA violation all the times. Security 
have higher priority to be maintained. I'm sure it's not necessary to 
compare possible damages for those two scenarios.

And no broken user script may happen in advance. No system will change 
behavior unless upgraded to patched version by responsible admin. He 
should be allowed to configure patched system to start fetch in former 
"security violation" mode (but not by default) if it will fit better 
their wishes.

I consider it better than silence about the issue.

But to say true, it's not my war - and no one seems to be with me here ;-)

I have own source repository with custom system patches so I'm not tied 
to "official" decisions. No offense to FreeBSD team in any way!
I'm just
not average user. ;-)


Dan