[fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss (Ubuntu) |
Fix Released
|
Medium
|
Dariusz Gadomski | ||
Bionic |
Fix Released
|
Medium
|
Dariusz Gadomski | ||
Focal |
Fix Released
|
Medium
|
Dariusz Gadomski | ||
Groovy |
Fix Released
|
Medium
|
Dariusz Gadomski |
Bug Description
[Impact]
* Prevents using some parts of nss in FIPS mode - e.g. libfreeblpriv3.so (failed asserts). The library during initialization tries to verify it's own binaries against signatures in chk files shipped along with it (created at build time). They are installed at /usr/lib/
[Test Case]
* Setup Ubuntu 18.04 in FIPS mode.
* sudo apt install chrony
* sudo chronyd -d
* chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
[Regression Potential]
* Fix introduces 2 new artifacts to the filesystem (symlinks to the chk files). It may cause alerts in e.g. CI systems.
[Other Info]
Original bug description:
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped in the libnss3 package as *.chk files installed in /usr/lib/
Those libraries are symlinked to be present in /usr/lib/
ls -l /usr/lib/
lrwxrwxrwx 1 root root 21 Jun 10 18:54 /usr/lib/
The client binaries are linked against the symlinks, so when the verification happens (lib/freebl/
Then it tries to open that file. Obviosly it fails, because the actual file is in /usr/lib/
[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
Potential solutions:
Solution A:
Drop the /usr/lib/
Solution B:
Create symlinks to *.chk files in /usr/lib/
Solution C:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk where the symlinks lead to.
CVE References
no longer affects: | nss (Ubuntu Xenial) |
description: | updated |
summary: |
- freebl_fipsSoftwareIntegrityTest fails in FIPS mode + [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode |
tags: | added: sts |
description: | updated |
Changed in nss (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in nss (Ubuntu): | |
importance: | Undecided → Medium |
description: | updated |
Changed in nss (Ubuntu): | |
assignee: | nobody → Richard Maciel Costa (richardmaciel) |
Changed in nss (Ubuntu Bionic): | |
assignee: | nobody → Richard Maciel Costa (richardmaciel) |
tags: | added: patch |
Changed in nss (Ubuntu): | |
status: | New → In Progress |
Changed in nss (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in nss (Ubuntu): | |
assignee: | Richard Maciel Costa (richardmaciel) → Dariusz Gadomski (dgadomski) |
Changed in nss (Ubuntu Bionic): | |
assignee: | Richard Maciel Costa (richardmaciel) → Dariusz Gadomski (dgadomski) |
Changed in nss (Ubuntu Focal): | |
assignee: | nobody → Dariusz Gadomski (dgadomski) |
importance: | Undecided → Medium |
status: | New → In Progress |
description: | updated |
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
tags: | added: sts-sponsor-dgadomski |
I have briefly analyzed nss code - it uses the nspr library for, inter alia, file access abstraction. From what I saw in the docs it does not offer any form of symlink resolution, so it may be nontrivial to safely implement it in nss code.