[Security] BREACH vulnerability is not mitigated in default configuration

Bug #1403283 reported by Thomas Ward on 2014-12-17
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Nginx
Medium
Unassigned
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Undecided
Unassigned

Bug Description

The BREACH vulnerability (http://breachattack.com/) is not mitigated in the default nginx.conf configuration file.

Details on the BREACH vulnerability are available at the link above. HTTP level compression served over a TLS connection is vulnerable to the same attack as CRIME, but without the TLS-level compression.

In Vivid, and likely the older variants of Ubuntu, this is easily mitigated by changing `gzip on;` in the nginx.conf file to `gzip off;` which disables `gzip` compression except where overridden later by sites' configurations.

This impacts Ubuntu, the PPAs, and Debian as well. (I will likely upstream this to Debian tomorrow, but will add the Nginx tracker here on Launchpad for the PPAs)

CVE References

Thomas Ward (teward) on 2014-12-17
Changed in nginx:
importance: Undecided → High
importance: High → Medium
Changed in nginx (Debian):
status: Unknown → New
Thomas Ward (teward) wrote :

Additional notes:

Disabling HTTP-level compression by default is not a decent option to solving this. Mitigation is mostly on an application level, then, however there are third-party modules that can be included (in the Universe binaries) which would add length hiding as a potential mitigation method.

A more detailed description on this whole issue can be found here on my blog, describing what BREACH is and possible mitigation methods. It also provides three possible mitigation methods, one which can be done already by default, one which can be done at application levels, and one which can be done with a separate module. http://dark-net.net/?p=49 is the blog post. (aggregated on planet.ubuntu.com)

Changed in nginx (Ubuntu):
status: New → Confirmed
Changed in nginx (Debian):
status: New → Fix Committed
Thomas Ward (teward) on 2015-01-22
Changed in nginx:
status: New → Confirmed
Changed in nginx (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.