Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 15 Jun 2011 10:11:55 +0200
From: Bernhard Reiter <bernhard@...evation.de>
To: Josh Bressers <bressers@...hat.com>
Cc: oss-security@...ts.openwall.com,
 Tomas Mraz <tmraz@...hat.com>,
 "Steven M. Christey" <coley@...us.mitre.org>,
 Werner Koch <wk@...code.com>
Subject: Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate

Dear Jan, Gentlemen,

thanks for caring about the issue, here is my input:

Am Montag, 6. Juni 2011 19:42:10 schrieb Josh Bressers:
> > IOW was not able to reproduce the complete / indefinite dirmngr-client
> > hang (thus blocking other clients from access). As noted in [6], it is
> > true that during small time period running 'dirmngr' daemon instance is
> > unresponsive also for '--ping' (dirmngr-client --ping) commands, but
> > after finite time (~21 seconds in my test) the connection ends up with
> > timeout.
> >
> > Though Bernard in:
> > [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5
> >
> > mentions "For example the KMail hung when trying to verify a signature
> > which has the certificate in the chain." which would suggest there may
> > exist clients / end-user application not able to recover from this bug
> > properly. Bernhard, hopefully here, you could clarify / list such
> > applications and provide also time details, how long that hang of such
> > applications took.

For me the verification of the certiciate DTAG_Issuing_CA_i01.der 
hangs for several minutes, e.g. just tested on Debian Lenny
for three minutes:
real    3m9.237s
user    0m0.000s
sys     0m0.004s
The time might depend on some network parameters or network timeouts
of the operating system. I have not changed these on my test system,
but I am also not very knowledgable about the various timeouts.

Three minutes are way too much. People that use Kontact will experience a 
freeze of the application for that time and must assume their client
application to be hung or crashed. Given that Kontact is also a calender
and contacts manager, this causes significant interruptions in a typical 
office.

Applications affected are all applications that use dirmngr in a blocking
way. Applications use dirmngr when they are trying to use the GnuPG crypto 
stack with CMS operations (aka X509 certificated, e.g. used with S/MIME 
emails or similar file crypto operations) and use of dirmngr is not 
explicitely switched off. The default is to use dirmngr for certification 
revocation on all CMS operations that involve certificates.

The application I have tested is KMail/Kontact which uses GnuPG via the 
library gpgme, which is the recommended way. Command line usage of gpgsm is 
also affected, which I have also verified.

> > Based on your reply, this may not / may be worthy (in case there are
> > such end-user applications) of an CVE identifier.
>
> Is this expected to only be used by end user applications?

Gpgsm or gpgme can be used by system scripts, other scripts or system 
applications as well. Dirmngr itself is a system service, so on a multiuser 
system all users are affected once one user tries a verification waiting 
for a network timeout.

> It seems to me 
> that if an attacker can DoS a client, it's not a security issue, especially
> when you consider the use (if a bad guy can interact with dirmngr, there
> are probably bigger potential issues).

Two attack scenarios:
a) a local uses wants to block other users from using email or crypto 
operations, like encrypting or verifying signatures to someone. This user can 
just initiate this verification with the system dirmngr. Any user of a system
should be able to ask the system dirmngr for verifications. So all users have 
access.

b) A remote user wants to cause interruptions and sends signed emails or files
that causes an gpgsm to attempt to decrypt or verify with such a certificate. 
This will often be done automatically by the email clients for the comfort of 
the user. As gpgsm and thus dirmngr is needed to decide if a signature is 
good, attackers can assume that emails with such a signature will be passed 
to gpgsm who will pass the certificate to dirmngr and ask for verification.
So it is a normal situation that outside data will reach dirmngr.

Best Regards,
Bernhard Reiter

-- 
Managing Director - Owner: www.Intevation.net       (Free Software Company)
FSFE.org: Founding GA Member.  Kolabsys.com: Board Member
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Download attachment "smime.p7s" of type "application/pkcs7-signature" (3696 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.