Ubuntu One storage protocol

ubuntuone-client doesn't validate ssl certificates

Reported by Marc Deslauriers on 2011-10-26
278
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ubuntu One Client
Status tracked in Trunk
Stable-3-0
Undecided
Unassigned
Stable-4-0
Undecided
Unassigned
Trunk
High
Unassigned
Ubuntu One storage protocol
Status tracked in Trunk
Stable-1-2
Undecided
Unassigned
Stable-1-6
Undecided
Unassigned
Stable-2-0
Undecided
Unassigned
Stable-3-0
High
Alejandro J. Cura
Stable-4-0
High
Rodney Dawes
Trunk
Undecided
Rodney Dawes
ubuntuone-client (Ubuntu)
Medium
Unassigned
Lucid
Medium
Marc Deslauriers
Maverick
Medium
Marc Deslauriers
Natty
Medium
Marc Deslauriers
Oneiric
Medium
Marc Deslauriers
Precise
Medium
Marc Deslauriers
Quantal
Medium
Unassigned
ubuntuone-storage-protocol (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Unassigned
Natty
Undecided
Marc Deslauriers
Oneiric
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Unassigned

Bug Description

ubuntuone-client uses urllib2 to perform certain operations on https web sites. urllib2 does not do any certificate validation, and should only be used if certificate validation is being done by the application itself.

This results in a trivial man in the middle attack that can obtain or alter sensitive information.

Related branches

CVE References

Changed in ubuntuone-client (Ubuntu):
status: New → Confirmed
Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-2-0 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-4

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-1-6 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-2

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-1-4 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-0

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-1-2 that *does not* depend on any ubuntu-sso-client versions, because there was none at the time.

Marc Deslauriers (mdeslaur) wrote :

Thanks for the patches, I'll work on security updates for this. Do not commit publically until the security updates have been published. Thanks!

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-4409

Changed in ubuntuone-client (Ubuntu Lucid):
status: New → Confirmed
Changed in ubuntuone-client (Ubuntu Maverick):
status: New → Confirmed
Changed in ubuntuone-client (Ubuntu Natty):
status: New → Confirmed
Changed in ubuntuone-client (Ubuntu Oneiric):
status: New → Confirmed
Changed in ubuntuone-client (Ubuntu Lucid):
importance: Undecided → Medium
Changed in ubuntuone-client (Ubuntu Maverick):
importance: Undecided → Medium
Changed in ubuntuone-client (Ubuntu Natty):
importance: Undecided → Medium
Changed in ubuntuone-client (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in ubuntuone-client (Ubuntu Precise):
importance: Undecided → Medium
Changed in ubuntuone-client (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ubuntuone-client (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ubuntuone-client (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ubuntuone-client (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

OK, after testing the patches and looking some more through the code, it
appears there are still some certificate validation issues:

On Lucid-Oneiric:
ubuntuone/syncdaemon/action_queue.py:

Uses twisted.internet.reactor.connectSSL. Unfortunately, connectSSL does
not validate the hostname against the certificate commonName (and subject
alternative names) itself, it is up to the application to enforce this.

ubuntuone-client must add this check, or a MITM can simply use any valid
certificate issued by a CA.

On Maverick:
ubuntuone/api/restclient.py: still uses urllib2 to open https connections
without proper certificate validation.

On Lucid:
bin/ubuntuone-preferences: uses httplib to open https connections without
proper certificate validation.

ubuntuone/oauthdesktop/auth.py: used httplib to open https connections.
Seems to validate certificates, but doesn't validate hostname against them.

Alejandro J. Cura (alecu) wrote :

Hi Marc, thanks for your very detailed report.
We'll work on fixing those issues too.

Marc Deslauriers (mdeslaur) wrote :

Hi! Any progress on this? Thanks

Alejandro J. Cura (alecu) wrote :

Hi Marc, we are now resuming the work on this bug.
Sorry for the delay; we were finishing some other work that had to make it in precise.

Marc Deslauriers (mdeslaur) wrote :

Thanks! :)

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ubuntuone-client (Ubuntu Maverick):
status: Confirmed → Won't Fix
Alejandro J. Cura (alecu) wrote :

I'm adding new versions of the patches, that include fixes for the twisted connectSSL as used by the code in the projects ubuntuone-client and ubuntuone-storage-protocol.

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-1-6 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-2 and on the fix for lp:ubuntuone-client-protocol/stable1-6

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-2-0 that depends on the curllib patch proposed for lp:ubuntu-sso-client/stable-1-4 and on the fix for lp:ubuntuone-client-protocol/stable-2-0

Alejandro J. Cura (alecu) wrote :

In comments #15 and #17, I meant "lp:ubuntuone-storage-protocol/stable-..."

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-3-0 that depends *only* on the fix for lp:ubuntuone-storage-protocol/stable-3-0

Alejandro J. Cura (alecu) wrote :

This is a patch for lp:ubuntuone-client/stable-1-2 that depends *only* on the fix for lp:ubuntuone-storage-protocol/stable-1-2

Alejandro J. Cura (alecu) wrote :

The above patches for Lucid also fix the issues with bin/ubuntuone-preferences and ubuntuone/oauthdesktop/auth.py
Please let me know if there's any further correction to be done.

Thanks!

Changed in ubuntuone-storage-protocol (Ubuntu Maverick):
status: New → Won't Fix
Changed in ubuntuone-storage-protocol (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in ubuntuone-storage-protocol (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in ubuntuone-storage-protocol (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in ubuntuone-storage-protocol (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in ubuntuone-client (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ubuntuone-storage-protocol (Ubuntu Quantal):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Alejandro, I've hit a snag while building the precise ubuntuone-storage-protocol update:

dh --with=python2 clean
   dh_testdir
   dh_auto_clean
Traceback (most recent call last):
  File "setup.py", line 29, in <module>
    from ubuntuone.storageprotocol.context import ssl_cert_location
  File "/home/mdeslaur/work/ubuntuone-storage-protocol/precise/ubuntuone-storage-protocol-3.0.0/ubuntuone/storageprotocol/context.py", line 63, in <module>
    'UbuntuOne-Go_Daddy_Class_2_CA.pem'), 'r').read())
IOError: [Errno 2] No such file or directory: '/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem'
dh_auto_clean: python setup.py clean -a returned exit code 1
make: *** [clean] Error 1

setup.py causes the cert to be imported, but it cannot be imported while the package builds.

On 05/25/2012 12:27 PM, Marc Deslauriers wrote:
> Alejandro, I've hit a snag while building the precise ubuntuone-storage-
> protocol update:
>
> dh --with=python2 clean
> dh_testdir
> dh_auto_clean
> Traceback (most recent call last):
> File "setup.py", line 29, in <module>
> from ubuntuone.storageprotocol.context import ssl_cert_location
> File "/home/mdeslaur/work/ubuntuone-storage-protocol/precise/ubuntuone-storage-protocol-3.0.0/ubuntuone/storageprotocol/context.py", line 63, in <module>
> 'UbuntuOne-Go_Daddy_Class_2_CA.pem'), 'r').read())
> IOError: [Errno 2] No such file or directory: '/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem'
> dh_auto_clean: python setup.py clean -a returned exit code 1
> make: *** [clean] Error 1
>
> setup.py causes the cert to be imported, but it cannot be imported while
> the package builds.

Hi Marc, thanks for bringing this to my attention.

I'm on a National Holiday today, so I'll fix it first thing monday morning.

cheers,
--
alecu

Alejandro J. Cura (alecu) wrote :

This patch should fix the problem where certificates tried to be load while building the package.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-storage-protocol - 3.0.0-0ubuntu1.1

---------------
ubuntuone-storage-protocol (3.0.0-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 13:58:05 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-client - 3.0.0-0ubuntu1.1

---------------
ubuntuone-client (3.0.0-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use correct URL in
      data/syncdaemon.conf, send hostname for validation in
      ubuntuone/syncdaemon/action_queue.py.
    - debian/control: bump python-ubuntuone-storageprotocol dependency to
      security update.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 14:07:53 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-storage-protocol - 2.0.1-0ubuntu1.1

---------------
ubuntuone-storage-protocol (2.0.1-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 14:50:00 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-client - 2.0.1-0ubuntu1.1

---------------
ubuntuone-client (2.0.1-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use pycurl instead of urllib2 and
      send hostname for validation in ubuntuone/syncdaemon/action_queue.py,
      use correct URL in data/syncdaemon.conf, use pycurl instead of
      urllib2 in tests/syncdaemon/test_action_queue.py.
    - debian/control: bump python-ubuntuone-storageprotocol and
      ubuntu-sso-client dependencies to security updates.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:23:53 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-storage-protocol - 1.6.1-0ubuntu1.2

---------------
ubuntuone-storage-protocol (1.6.1-0ubuntu1.2) natty-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:34:32 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-client - 1.6.2-0ubuntu2.1

---------------
ubuntuone-client (1.6.2-0ubuntu2.1) natty-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use pycurl instead of urllib2 and
      send hostname for validation in ubuntuone/syncdaemon/action_queue.py,
      use correct URL in data/syncdaemon.conf, use pycurl instead of
      urllib2 in tests/syncdaemon/test_action_queue.py.
    - debian/control: bump python-ubuntuone-storageprotocol and
      ubuntu-sso-client dependencies to security updates.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:39:24 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-storage-protocol - 1.2.0-0ubuntu1.1

---------------
ubuntuone-storage-protocol (1.2.0-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: validate hostname in
      ubuntuone/storageprotocol/context.py, add test to
      tests/test_context.py.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Tue, 29 May 2012 15:46:00 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-client - 1.2.2-0ubuntu2.2

---------------
ubuntuone-client (1.2.2-0ubuntu2.2) lucid-security; urgency=low

  * SECURITY UPDATE: MITM via incorrect ssl cert validation (LP: #882062)
    - debian/patches/CVE-2011-4409.patch: use pycurl instead of urllib2 in
      bin/ubuntuone-preferences, tests/syncdaemon/test_action_queue.py,
      use pycurl instead of urllib2 and send hostname for validation in
      ubuntuone/syncdaemon/action_queue.py, use correct URL in
      data/syncdaemon.conf, correctly verify hostname in
      ubuntuone/oauthdesktop/auth.py, send hostname for validation in
      ubuntuone/u1sync/client.py, use pycurl instead of urllib2 in
      ubuntuone/utils/*, ship utils directory in Makefile.*.
    - debian/python-ubuntuone-client.install: also ship new utils
      directory.
    - debian/control: bump python-ubuntuone-storageprotocol dependency to
      security update.
    - debian/control: add python-pycurl dependency.
    - debian/rules: remove simple-patchsys.mk as this is a quilt package.
    - CVE-2011-4409
 -- Marc Deslauriers <email address hidden> Thu, 31 May 2012 10:47:06 -0400

Changed in ubuntuone-client (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in ubuntuone-client (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in ubuntuone-client (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in ubuntuone-client (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in ubuntuone-storage-protocol (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in ubuntuone-storage-protocol (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in ubuntuone-storage-protocol (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in ubuntuone-storage-protocol (Ubuntu Precise):
status: Confirmed → Fix Released
visibility: private → public

The attachment "Fix for ubuntuone-storage-protocol in Natty" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in ubuntuone-storage-protocol:
status: New → Fix Committed
Rodney Dawes (dobey) on 2012-06-08
Changed in ubuntuone-client:
importance: Undecided → High
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-storage-protocol - 3.99.0-0ubuntu1

---------------
ubuntuone-storage-protocol (3.99.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Use both the cpp and python protobuf implementations when running
      the test suite. (LP: #988362)
    - Be more strict when validating the SSL certificate. (LP: #882062)
    - CVE-2011-4409
  * 00_fix_tests.patch:
    - Backport patch from upstream trunk to fix tests. (LP: #1011666)
  * debian/control:
    - Update build dependencies for running tests.
    - Remove python-xdg binary dependency as it isn't used any longer.
  * debian/rules:
    - Fix argument ordering for dh.
    - Run the tests when building the package.
  * debian/watch:
    - Update the watch file to use stable-4-0 series for Quantal.
 -- Rodney Dawes <email address hidden> Mon, 11 Jun 2012 15:47:19 -0400

Changed in ubuntuone-storage-protocol (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-client - 3.99.0-0ubuntu1

---------------
ubuntuone-client (3.99.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Use dbus.Dictionary to pass empty dicts. (LP: #711162)
    - Ignore IN_CLOSE_WRITE for directories. (LP: #872894)
    - Validate SSL certificates better. (LP: #882062, LP: #1014654)
    - Ignore .goutputstream temporary flies. (LP: #1012620)
    - Handle failures better in share creation. (LP: #1013180)
    - Re-upload files when server reports empty hash. (LP: #1013401)
  * debian/control:
    - Update some build dependencies in preparation for testing during builds,
      and to allow building on older supported versions of Ubuntu.
  * debian/watch:
    - Update to use stable-4-0 series for Quantal releases.
 -- Rodney Dawes <email address hidden> Tue, 19 Jun 2012 16:58:05 -0400

Changed in ubuntuone-client (Ubuntu Quantal):
status: Confirmed → Fix Released
To post a comment you must log in.