Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthenticated packages installed on app and mon servers during initial provisioning #2472

Closed
redshiftzero opened this issue Oct 24, 2017 · 4 comments
Closed

Unauthenticated packages installed on app and mon servers during initial provisioning #2472

redshiftzero opened this issue Oct 24, 2017 · 4 comments
Labels
security
Milestone
0.4.4

Comments

@redshiftzero
Copy link
Contributor

Description

During initial provisioning of the SecureDrop servers, three packages - tor, ntp, and the Tor keyring are installed without verifying cryptographic signatures. As these packages are fetched over HTTP, an attacker with network access could gain remote code execution on the SecureDrop servers if they are able to man-in-the-middle (MitM) the connection to the apt server. This vulnerability was first introduced in SecureDrop 0.3, released February 11, 2015 due to a developer misunderstanding in the functionality of the force option in Ansible’s apt module.

Mitigation

The fix here is to remove the force option such that signature verification occurs.
@redshiftzero redshiftzero added this to the 0.4.4 milestone Oct 24, 2017
@redshiftzero redshiftzero mentioned this issue Oct 24, 2017
Closed
3 tasks
@heartsucker heartsucker mentioned this issue Oct 24, 2017
Closed
@redshiftzero
Copy link
Contributor Author

Fixed in SecureDrop 0.4.4 in commit e4e268d

@jborean93 jborean93 mentioned this issue Oct 25, 2017
Closed
@heartsucker
Copy link
Contributor

We just go a support email that had this line in an ansible error:

There are problems and -y was used without --force-yes

when installing a package. I have seen this before at work and am almost 100% sure this is why force: yes was added in the first place, because I've seen ops guys add force: yes to "just make fricken ansible work."

I know this ticket is closed, but I'm putting this here as a note.

@sylvaintwp
Copy link

Please re-open this issue.

We conducted a test install of 0.4.4 attached are the logs. The NTP package couldn't be authenticated on mon, and appeared to have succesfully installed on app (or did it simply not installed as a result of the mon error??).
sd-admin-install.run.2.log

I have open a separate issue to document the failure to download the 'securedrop-keyring' package, also reported as a failure in the logs (to be attached shortly.)

Kindly expedite fixes to the release. Thanks!
Uploading sd-admin-install.run.2.log…

@heartsucker
Copy link
Contributor

Hey @sylvaintwp. This is actually the exact issue that we opened this issue to solve: to never use force: yes on the apt module. Adding this back in would be a huge security hole. The failure you are seeing should be opened as a separate issue so we can solve the problem of the package failing to install using the safe case of force: no.

@redshiftzero redshiftzero mentioned this issue Mar 9, 2018
Open
@emkll emkll mentioned this issue Apr 27, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
0.4.4
Development

No branches or pull requests
3 participants
@heartsucker @redshiftzero @sylvaintwp