Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 7 Mar 2018 14:34:06 +0100
From: Raphael Geissert <atomo64@...il.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Cc: security@...e.de, avi.miller@...il.com
Subject: Portus, missing certificate validation on proxified https traffic

Hi,

Taking another look at portus, this time at the nginx sample
configuration[1], I noticed that it doesn't enable certificate
validation of the proxified traffic that is forwarded to portus and
registry.

Given that the documentation claims the examples are of "A
production-ready setup where all communication is encrypted."[2], I
plan to request a CVE id.

The details:

The example nginx configuration is based on running nginx as a
reverse-proxy of portus and (docker) registry. The docker-compose
provided along the nginx config sets up a certificate[3] for both
components (first smell: only one certificate).

The one an only certificate is also configured on the reverse proxy,
and a decent ciphers list among other security-related http headers
are setup.

But there's no single proxy_ssl_* directive in the whole nginx
configuration (second smell). Meaning that proxy_ssl_verify is off
(nginx default).

Has anyone reviewed portus? this is the second missing certificate
verification I noticed.

CC'ing the SUSE security team.

Oh and it appears that this one comes from the
Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of
the NGinx configuration"[2] :
https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57

CC'ing Avi Miller.

[1]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf
[2]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md
[3]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21
[4] https://github.com/Djelibeybi/Portus-On-OracleLinux7


Cheers,
-- 
Raphael Geissert

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.