Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 25 Aug 2018 20:56:59 -0400
From: Phil Pennock <oss-security-phil@...dhuis.org>
To: oss-security@...ts.openwall.com
Cc: Jakub Wilk <jwilk@...lk.net>
Subject: Re: Travis CI MITM RCE

On 2018-08-25 at 23:49 +0200, Jakub Wilk wrote:
> The new code looks like this:
> 
>    apt-key list | awk -F'[ /]+' '/expired:/{printf "apt-key adv --recv-keys --keyserver keys.gnupg.net %s\\n", $3}' | sudo sh
...
>   $ apt-key list | grep -A1 -w A15703C6
>   pub   4096R/A15703C6 2016-01-11 [expires: 2020-01-05]
>   uid                  MongoDB 3.4 Release Signing Key <packaging@...godb.com>

As a security/scalability aside which might amuse and/or cause
face-palming: I used to run an SKS keyserver in the pool; one time, when
debugging, I enabled request logging ...

Well over 50% of all requests were for that one key.

I'm not the only one to have noticed and I know that I was not alone
amongst keyserver operators in being annoyed that a free service to the
community was suddenly being hammered by one actor.  I recall discussing
with at least one person either blacklisting the key or the IP addresses
used frequently for that key.

The keyservers are a swamp; if you want to include one key, then include
the key as static data in your builds/CI configuration, so that it's
coming from a trusted source each time: your own data.

If you're building infrastructure which needs to get data from off-site,
then consider whether or not you can provide template directives which
people can include in their command lists, and you then populate the
template with the correct current commands for that directive.  Eg, if
I'm talking to Docker inside Circle CI, I don't set a bunch of variables
myself, I just say `setup_remote_docker` and let Circle CI figure out
which commands should be run.  For "everything is a shell command"
setup, then perhaps `$CICMD_APT_KEYS_UPDATE` could be made available.
Or `"${CICMD_APT_KEYS_UPDATE[@]}"` if even more constrained.

-Phil

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.