-
-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL Security Concerns #286
Comments
Thanks for the scan, @sempervictus. Indeed, I actually scan daily (although please feel free to log an issue whenever you notice one). Stable versions of Ubuntu can't update the SSL API used (for fear of breaking clients), nor can it update the SSL version (for the same reason). However, the Ubuntu security team actively backports all SSL security patches to the version of SSL that is available in the archive. As such, while Nessus is right that the upstream version of SSL has those vulnerabilities, none of those CVEs actually apply to the SSL in Ubuntu (Xenial, specifically). I was told by the security team that some scanners actually tie into the USN database to filter out such results. |
This was a remote scan without local auth, locally authenticated scans get confused by snapd, and in our case Nessus won't support the OS distribution since its Arch (needed something thin/binary still using glibc). While i'm aware of Canonicals efforts to backport, i would caution that its not always done successfully, and given the nature of the project a single serious security gaff would (and will, when it happens) hurt user confidence. SSLScan does look a lot better:
|
That's fair, although such a security gaff would impact Ubuntu itself as well, which would be a big deal. I tend to trust the folks who are paid to keep Ubuntu safe, but my opinion isn't the only one that matters. How do you feel about this? Is an ideal solution to track upstream openssl? I'm a little nervous about the API issues that may introduce with the other components of the snap, but have not experienced them firsthand. |
This is the standard pitfall of crypto - the implementation details are above the heads of almost all consumers, and changes to how the details are applied in new or backported methods can make a difference. Thing is, the newest versions of things tend to have the most mistakes - compiletime and functional tests will catch errors only so well as their coverage permits. If something is capable of referencing a free'd object, but never does it unless a number of stars line up, automated testing is likely to miss it without proper test cases; and nobody knows what those are until a bug is caught which necessitates the creation of a new one. Eternal cat and mouse game in infosec - think how long it took to actually get proper coverage on heartbleed across the distributions, or even shellshock for that matter (or anything RHEL does). If you have binary dependencies against the Canonical version of OpenSSL, i'd say stay with it, and try to track with daily scans against a full-fledged OS deployed using the components packaged in the snap. This should allow you to get findings against supporting components and determine how/if they apply to a snap running in production - escalation of privs to be able to write into the FS won't help much in an RO mount, but something affecting transport integrity would be a concern. Separately, having Arachni go over this as well, but both it and Nessus suggest implementing https://www.owasp.org/index.php/SecureFlag. |
I'm not completely following you, here. By "full-fledged OS deployed using the components packaged in the snap," do you mean everything contained in the snap, but not actually running it in the snap: installing everything to standard locations? If so, I'm not clear on the benefit of this.
Again not quite clear on what you're saying. My scans run against the snap installed in LXC, one with HTTPS enabled, and one without. Are you saying the scanners need write access to the snap, though?
Ah, that'll need to be part of the HTTPS toggle. Mind logging a new issue about that, please?
Yeah that would be pretty sweet, but I'm afraid it's a step beyond the manpower I have available. |
I'm suggesting the scans be run against an Ubuntu core installation with the snap's contents installed in a normal filesystem with all the attack surface provided by a complete OS. This approach should be the most compatible with scanning tools, and provide a "worst case" approximation of exposure to the actual runtime, with some of the concerns being mitigated by the container technology in use, kernel configurations/builds, and other "real-world" factors (which may also lead to additional exposure, but you can't run scans against every possible layout). |
Well, let me outline exactly what I'm doing today so we're on the same page. Then we can both get a better picture of what to improve. Note that all snap instances are their own lxc container (indeed, snapd is running inside the lxc namespace). This setup is identical to my own production instance.
All scans run during the night and then email me, so my day starts with a review of the results. No local authentication, although I've been meaning to investigate that (not for production, of course). You say that snapd confuses it... can you elaborate on the issues you encountered?
Thank you, credit goes to @SkyWheel for getting us started. We're always looking to improve though, so I appreciate this discussion 😃 . The snap update mechanism means we can get automatic fixes to all users in a matter of hours, which is a tremendous amount of power. We take that very seriously. |
Hi @kyrofa , |
Far as how scanners get confused - they enumerate the package manager of the userspace to which they connect. So the package-version-based checks actually look at the wrong list, possibly the wrong OS entirely. Moreover, the scanners have conditional logic to execute plugins based on environmental constraints - "run aptitude package checks on systems detected as Debian, skipping Yum ... checks." So that can turn into a bloody mess because version numbers start to not match up, even if they're detected, services are checked against the wrong things, and gaps form in the surface. Its a subtle sort of hell sorting out the details of these discrepancies, but todays vulnerability analysis engines are rather behind the times - they dont address namespacing, mount constraints, and a bunch of other operating logic which drives the bare metal (or virtualized, really) containerized ecosystems. |
OK, since the theme has been raised I've seen at least 2 openssl updates. As discussed, Ubuntu team manages it's own openssl version and backports all patches into it. |
Thanks @SkyWheel, will do. |
Nessus does not appear to be a fan of the OpenSSL version in use, relevant CVE references from plugin output:
Are vulnerability assessments part of the release QA process? If not, might be worthwhile to add them. We could even perform scans on a public facing instance and push the reports back, but i figure you'll want authenticated checks for full versions of the build image before it becomes a snap as well...
The text was updated successfully, but these errors were encountered: