2020-05-19 17:05:01 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2020-05-19 17:14:45 |
Marc Deslauriers |
cve linked |
|
2018-1000500 |
|
2020-05-19 17:52:24 |
Dimitri John Ledkov |
summary |
busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y config option |
busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it |
|
2020-05-19 17:57:14 |
Dimitri John Ledkov |
description |
[Impact]
* CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
* This allows https downloads to succeed without any CA certificates or validation
* This allows MITM attacks
[Test Case]
* Preparation: sudo apt install busybox
* Test case: /bin/busybox wget https://untrusted-root.badssl.com/
* Expected: download failed, like with GNU wget
$ wget https://untrusted-root.badssl.com/
--2020-05-19 18:00:38-- https://untrusted-root.badssl.com/
Resolving untrusted-root.badssl.com (untrusted-root.badssl.com)... 104.154.89.105
Connecting to untrusted-root.badssl.com (untrusted-root.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify untrusted-root.badssl.com's certificate, issued by ‘CN=BadSSL Untrusted Root Certificate Authority,O=BadSSL,L=San Francisco,ST=California,C=US’:
Self-signed certificate encountered.
To connect to untrusted-root.badssl.com insecurely, use `--no-check-certificate'.
* Observed: download success
$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_return_error` to s_client, unless `--no-check-certificate` is specified |
[Impact]
* CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl
* CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code
* CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed.
* However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed.
* Also TLS verification is not performed under OPENSSL case.
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
* There is no warning that TLS verification was not performed
[Test Case]
* Preparation: sudo apt install busybox
* Test case: /bin/busybox wget https://untrusted-root.badssl.com/
* Expected: download failed, or download suceeds with warning printed that verification is disabled
* Observed: download success without a warning that verification is disabled.
$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_return_error` to s_client, unless `--no-check-certificate` is specified |
|
2020-05-19 18:00:18 |
Dimitri John Ledkov |
attachment added |
|
0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+attachment/5374238/+files/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch |
|
2020-05-19 18:00:48 |
Dimitri John Ledkov |
description |
[Impact]
* CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl
* CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code
* CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed.
* However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed.
* Also TLS verification is not performed under OPENSSL case.
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
* There is no warning that TLS verification was not performed
[Test Case]
* Preparation: sudo apt install busybox
* Test case: /bin/busybox wget https://untrusted-root.badssl.com/
* Expected: download failed, or download suceeds with warning printed that verification is disabled
* Observed: download success without a warning that verification is disabled.
$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_return_error` to s_client, unless `--no-check-certificate` is specified |
[Impact]
* CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet using openssl
* CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox applet using internal TLS code
* CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is used, a message is printed to notify the users that TLS verification is not perfomed.
* However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed.
* Also TLS verification is not performed under OPENSSL case.
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
* There is no warning that TLS verification was not performed
[Test Case]
* Preparation: sudo apt install busybox; or build busybox with CONFIG_FEATURE_WGET_OPENSSL=y
* Test case: /bin/busybox wget https://untrusted-root.badssl.com/
* Expected: download failed, or download suceeds with warning printed that verification is disabled
* Observed: download success without a warning that verification is disabled.
$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_return_error` to s_client, unless `--no-check-certificate` is specified |
|
2020-05-19 18:27:04 |
Dimitri John Ledkov |
attachment removed |
0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+attachment/5374238/+files/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch |
|
|
2020-05-19 18:27:51 |
Dimitri John Ledkov |
attachment added |
|
0001-wget-add-note-about-lack-of-TLS-verification-with-Op.patch https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+attachment/5374263/+files/0001-wget-add-note-about-lack-of-TLS-verification-with-Op.patch |
|
2020-05-19 18:28:05 |
Dimitri John Ledkov |
attachment added |
|
0002-Revert-wget-add-note-about-lack-of-TLS-verification-.patch https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+attachment/5374264/+files/0002-Revert-wget-add-note-about-lack-of-TLS-verification-.patch |
|
2020-05-19 18:28:18 |
Dimitri John Ledkov |
attachment added |
|
0003-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+attachment/5374265/+files/0003-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch |
|
2020-05-19 18:51:27 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Groovy |
|
2020-05-19 18:51:27 |
Dimitri John Ledkov |
bug task added |
|
busybox (Ubuntu Groovy) |
|
2020-05-19 18:51:27 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Focal |
|
2020-05-19 18:51:27 |
Dimitri John Ledkov |
bug task added |
|
busybox (Ubuntu Focal) |
|
2020-05-20 13:55:03 |
Dimitri John Ledkov |
information type |
Private Security |
Public Security |
|
2020-05-20 13:56:17 |
Dimitri John Ledkov |
busybox (Ubuntu Groovy): status |
New |
Fix Committed |
|
2020-05-20 16:26:10 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2020-05-21 12:55:19 |
Francis Ginther |
tags |
patch |
id-5ec405c08ffc87364ab8cf50 patch |
|
2020-05-22 00:30:23 |
Launchpad Janitor |
busybox (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2020-06-04 10:41:14 |
Łukasz Zemczak |
busybox (Ubuntu Focal): status |
New |
Fix Committed |
|
2020-06-04 10:41:16 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-06-04 10:41:18 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2020-06-04 10:41:21 |
Łukasz Zemczak |
tags |
id-5ec405c08ffc87364ab8cf50 patch |
id-5ec405c08ffc87364ab8cf50 patch verification-needed verification-needed-focal |
|
2020-06-08 13:52:54 |
Dimitri John Ledkov |
tags |
id-5ec405c08ffc87364ab8cf50 patch verification-needed verification-needed-focal |
id-5ec405c08ffc87364ab8cf50 patch verification-done verification-done-focal |
|
2020-06-16 00:03:02 |
Launchpad Janitor |
busybox (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2020-06-16 00:03:14 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|