|
|
Subscribe / Log in / New account

Fedora account system (FAS) potential information disclosure

[Posted May 9, 2013 by jake]

From:  Robyn Bergeron <rbergero-AT-redhat.com>
To:  announce-AT-lists.fedoraproject.org
Subject:  fedoraproject.org Account System (FAS) security issue.
Date:  Thu, 9 May 2013 12:18:18 -0400 (EDT)
Message-ID:  <902275792.69089123.1368116298385.JavaMail.root@redhat.com>

Greetings.

A bug has been discovered in the Fedora Account system that could have
exposed some sensitive information to logged in users.

The bug is around the group view function of the account system. 

The bug has been present since 2008.

In order to view the private data, a attacker would have to:

* login to the account system with a valid FAS account.
* Go to a group with unapproved members
* manipulate the URL to get a json version of the unapproved members
  list.

The information exposed could include the following from unapproved
members of a group:

* salted sha512 encrypted password
* security questions (plaintext)
* security answers, however they would be gpg encrypted.
* Possibly other account data that was marked 'private' if the user had
  privacy set.

A hotfix for this bug has been made in our infrastructure,      
and a upstream release with the fix is expected later today.

Review of logs has shown no cases where this bug was used in our
production account system, however our staging version was also
vulnerable and we are unable to confirm the information was not
accessed there. Moving forward, additional logging will be added to our
staging infrastructure.

We recommend (but do not require) that all users take this time to
change their passwords, update their security questions/answers and 
review their other account information.


-Robyn Bergeron
-- 
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce

to post comments

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 3:03 UTC (Fri) by therealmik (guest, #87720) [Link] (18 responses)

I guess I'll ask my mother to change her maiden name and rename my long-deceased dog then.

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 3:22 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link] (16 responses)

you can change both your question and answer on the site. tip: don't give real answers to such questions. they might be guessable.

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 4:54 UTC (Fri) by pabs (subscriber, #43278) [Link] (13 responses)

tip: use a password generation scheme for those. Appropriate ones are diceware or just long strings of random characters. Obviously these are less easy to remember so write them down and put the results in your safe.

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 6:05 UTC (Fri) by geofft (subscriber, #59789) [Link] (8 responses)

I'm a fan of `openssl rand -base64 12` for this purpose. It doesn't have the theoretical strength of _physical_ diceware, but you've got to trust the computer you're typing these things in on anyway.

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 9:16 UTC (Fri) by oever (guest, #987) [Link] (7 responses)

I use a small script into which i paste some random text from an open webpage or document or console history:
==
#!/bin/bash
cat|openssl dgst -sha1 -binary |base64|cut -b1-10
==
End the input by pressing <enter>, <ctrl-d>.
That results in passwords like this:
WDApLI1IKg
W7yWzBfWp+
4sTBQMICCa

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 12:57 UTC (Fri) by dskoll (subscriber, #1630) [Link] (6 responses)

I use Perl code similar to this to generate random passwords: 

$pattern = '[A-HJ-NP-Za-hjkmnpqrstuvwxyz2-9]';
open IN, "</dev/urandom" or die "Can't open /dev/urandom: $!";
$pw = '';
while(1) {
    sysread(IN, $char, 1);
    next unless $char =~ /^${pattern}$/;
    $pw .= $char;
    last if length($pw) >= $length;
}
print "$pw\n";

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 15:38 UTC (Fri) by SEJeff (guest, #51588) [Link] (5 responses)

You know, pwgen is also pretty awesome and is in the package repos of virtually every disto in existence.

$ pwgen -s 15 -1
l3zDjPFUpbUDsI6

For more human friendly ones:
$ pwgen -B -1 10
iiPh3Ephae

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 16:51 UTC (Fri) by dskoll (subscriber, #1630) [Link]

Yes; I wrote my pwgen before I was aware of the real pwgen. I will probably switch over to it.

Fedora account system (FAS) potential information disclosure

Posted May 11, 2013 5:06 UTC (Sat) by lindi (subscriber, #53135) [Link] (3 responses)

The problem with pwgen is that not all passwords are equally probable. Try generating a few million passwords and see how certain passwords tend to offer more commonly than others.

Fedora account system (FAS) potential information disclosure

Posted May 13, 2013 15:25 UTC (Mon) by bfields (subscriber, #19510) [Link]

Yeah, looks like it's choosing from a pretty small space of passwords; wonder how long they need to be to have a reasonable amount of entropy?

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 6:15 UTC (Tue) by salimma (subscriber, #34460) [Link]

There's also pwmake, but there the problem is the passwords generated might contain characters that are rejected by poorly-designed programs.

Fedora account system (FAS) potential information disclosure

Posted May 31, 2013 3:41 UTC (Fri) by pabs (subscriber, #43278) [Link]

If you use the -s option it uses /dev/random to generate passwords. Maybe that should be the default?

Fedora account system (FAS) potential information disclosure

Posted May 13, 2013 22:28 UTC (Mon) by rahvin (guest, #16953) [Link] (3 responses)

If you can't remember it you are doing it wrong. I'm an advocate of phrases that you remember and mean something only to you, use appropriate capitalization and punctuation and you will more than likely have a stronger security than even the most complicated of passwords. The passphrase(s) I've started using exceed 20 characters and is very easy to remember, fast to type and I don't have the risk of pieces of paper laying around that compromise the security or can get lost.

I stopped using passwords when I started grep'ing the ones I use commonly against the big password lists that you can use with John the Ripper. I found most of my obscure passwords are in the list with slight variations. Though a nice random one is probably secure, it's darn near impossible to remember. We need to do away with the password and open the field up to 255 characters so people can start using easy to remember phrases.

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 0:07 UTC (Tue) by paulj (subscriber, #341) [Link] (1 responses)

So long as we have pass-words/phrases, we need to remember 2 constraints:

a) Most of us can't remember more than a few of them

b) Passwords should not be re-used across accounts, other than in the few exceptional cases that have identical security risks/consequences.

Given we tend to have dozens of pass-word/phrase secured accounts, this implies:

* We must reserve passwords that we commit to memory for a select few accounts - the most sensitive ones (banking? the email account that you register with, which any "password reset" emails will be sent to?)

* The rest of the passwords, for the less sensitive accounts, must be recorded somewhere, for we can not remember them (use the password saving feature of your browser? write them down on paper and keep that somewhere safe?)

Writing down passwords is, despite the advice of some well-meaning security "experts", not only acceptable, but may be more effective and keep you more secure. For it can allow you to choose truly random passwords for the vast majority of accounts.

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 7:09 UTC (Tue) by jezuch (subscriber, #52988) [Link]

> a) Most of us can't remember more than a few of them

Make the passphrase describe the site you're trying to log in, in a way that only your unique way of thinking could make up. And do it in an obscure language. My choice is la.lojban. ;)

Fedora account system (FAS) potential information disclosure

Posted May 31, 2013 3:48 UTC (Fri) by pabs (subscriber, #43278) [Link]

The advantage of Diceware is that the generated passwords are completely random, contain enough entropy and are fairly memorable:

https://xkcd.com/936/

Adding capitalization and punctuation makes passphrases harder to remember. Especially in stressful situations.

I agree that passphrases need to be gotten rid of. The only appropriate use for them is in a local context; login passphrases and passphrases used for the decryption of secret keys stored locally (LUKS, GPG, SSH etc). Even those need to be long, memorable and random.

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 9:13 UTC (Fri) by k8to (guest, #15413) [Link] (1 responses)

In other words, you have a password, and if you forget it you have an additional password you're more likely to have forgotten.

Red Hat should be smarter than to fall for anti-security like this.

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 9:36 UTC (Fri) by johannbg (guest, #65743) [Link]

Fedora != Red Hat...

Fedora account system (FAS) potential information disclosure

Posted May 10, 2013 10:09 UTC (Fri) by Wol (subscriber, #4433) [Link]

If it's an important account, I use trick questions anyway. The correct answer is the wrong answer ... or use a question with multiple correct answers, I have four grans so "what's my gran's maiden name?"

Cheers,
Wol


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds