Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jun 2018 21:05:36 +0530
From: Lets Secure <is3curi5@...il.com>
To: oss-security@...ts.openwall.com
Subject: Third Party Code Signing Vulnerability in Squirrel & Sparkle

Based on the recent disclosure at
https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/

The Squirrel
<https://github.com/Squirrel/Squirrel.Mac/blob/e9e2188cda3efb4bc08b1719bdef71880f9dc9b1/Squirrel/SQRLCodeSignature.m#L127>
&
Sparkle
<https://github.com/sparkle-project/Sparkle/blob/d19c98a8771e6a38766199bb96654de5d8c3efb2/Sparkle/SUCodeSigningVerifier.m#L98>
 framework also doesn't perform strict validation to check nested
architecture and revocations & validity of the signer cert and can
essentially result in bypassing the code sign validations.

*Squirrel*
SQRLCodeSignature.m#L127
result = SecStaticCodeCheckValidityWithErrors(staticCode,
kSecCSCheckAllArchitectures, (__bridge SecRequirementRef)self.requirement,
&validityError);

SecStaticCodeCheckValidityWithErros is called without flags -
kSecCSDefaultFlags
| kSecCSCheckNestedCode | kSecCSCheckAllArchitectures |
kSecCSEnforceRevocationChecks

Also, it lacks checks for chain of trust across nested binaries in Fat
file.
i.e. missing this code:
SecRequirementCreateWithString(CFSTR("anchor apple"), kSecCSDefaultFlags,
&requirementRef);

*Sparkle*
SUCodeSigningVerifier.m#L98
SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags |
kSecCSCheckAllArchitectures);
result = SecStaticCodeCheckValidityWithErrors(staticCode, flags, NULL,
&cfError);

The flags should have been set with:
SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags | kSecCSCheckNestedCode
| kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks)

But, that's not the case with Sparkle.

Best Regards!

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.