Project

Profile

Help

Issue #1227

Updated by rbarlow over 8 years ago

A security flaw (CVE-2015-5263) In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was discovered done through "PIP 476":https://www.python.org/dev/peps/pep-0476/. I was told in Pulp's consumer #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it carries 2.7.10. Fedora 21 carries 2.7.8. 

 To reproduce start with an empty pulp with no consumers and do the following: 

 1. Configure httpd to use a self-signed SSL crt 
 management system. When 2. Verify you are have Python >= 2.7.9 by showing the version `python -V` 
 3. Register the pulp consumer as c1 by running: `sudo pulp-consumer CLI is used to -u admin -p admin register to --consumer-id c1` and you'll see the following output: 

 <pre> 
 Pulp server, it downloads a public Download server RSA key from failed [<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] 
 certificate verify failed (_ssl.c:590)>] 

 Consumer [c1] successfully registered 
 </pre> 

 4. Notice that the Pulp server and stores registration did complete successfully as reported also by pulp-consumer when I run: `sudo pulp-consumer status` 

 <pre> 
 it locally. Later when This consumer is registered to the Pulp server sends messages [example.com] with the 
 ID [c1]. 
 </pre> 

 5. The consumer is registered but unusable. First ensure that goferd is running. 

 6. Now try to have the client consumer install a package by running: `pulp-admin -u admin -p admin rpm consumer package install run -n screen --consumer-id=c1` which shows: 

 <pre> 
 Install task created with id [ 28fdb0b6-16f0-4147-9eae-b104119b06af ] 

 This command may be exited via ctrl+c without affecting the request. 


 [-] 
 a message broker Waiting to instruct it to perform commands, it will use the begin... 
 corresponding private key </pre> 

 7. I had to sign restart goferd, but after doing so I saw the messages. The client checks messages were rejected because the 
 signatures before executing the instructions rsa_key wasn't properly fetched due to ensure that the messages 
 came from SSL error. You'll see this in the Pulp server and not from an attacker. logs on the consumer: 

 Versions of pulp-consumer-client between 2.4.0 and 2.6.3 do not check <pre> 
 the server's TLS certificate signatures when retrieving the server's pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) Task RMI (rejected): Rejected 
 public key upon registration: pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     sn : 7695fedd-fb5c-45e0-adf0-1792634d23b5   
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     origin : None 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     timestamp : 2015-09-02T19:30:52Z 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664)     user data : {'task_id': 'c844b3f6-6b67-47db-b36d-8e1d18872cf4', 'consumer_id': 'c1'} 
 pulp[13724]: pulp.server.agent.direct.services:WARNING: (13724-65664) rejected 
 </pre> 

 https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103 

 This allows a man is especially strange because verify_ssl = False in my config file. I expect the middle verify_ssl = False to inject their own message signing 
 key and to then perform administrative actions on allow for the machine, if they 
 usage of untrusted certs like self-signed certs. Here are able to send messages through the message broker. contents of my ~/.pulp/consumer.conf 

 Austin Macdonald fixed this issue in this commit by using our <pre> 
 pulp.bindings library as [server] 
 verify_ssl: False 
 </pre> 

 Also the rest contents of our CLI does: my /etc/pulp/consumer/consumer.conf 

 https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754 <pre> 
 [server] 
 host = <my hostname> 
 port = 443 
 verify_ssl = False 

 Users who do not use pulp-consumer are not affected by this issue. [authentication] 

 [client] 

 [filesystem] 

 [reboot] 

 [logging] 

 [output] 

 [messaging] 
 host = <my hostname> 
 port = 5672 

 [profile] 
 </pre>

Back