Security
Python decides for certificate validation
Python offers library functions for establishing secure HTTPS connections between a client and server, but few users are aware that those routines suffer from what some would deem a fatal flaw. By default, Python does not check the validity of the SSL/TLS certificate presented by remote servers, which leaves users vulnerable to man-in-the-middle attacks. The project recently decided to correct this shortcoming, although there was considerable disagreement about whether doing so would break existing applications—and, if it does, whether or not such breakage is acceptable in light of the potential security threat.
On August 29, Alex Gaynor posted Python Enhancement Proposal (PEP) 476 to the Python development list. Currently, he explained, the standard Python library does not actually check that the server in an HTTPS connection has an SSL/TLS certificate that is signed by a certificate authority (CA) in any trust root (such as the operating system's certificate database), and it does not check that the Common Name on the certificate matches the server name. The result, of course, is that all programs using the standard library are vulnerable to man-in-the-middle attacks—and, moreover, users are not made aware of this vulnerability. The application developer may reasonably expect that if the SSL/TLS connection is established, then all of the proper steps were taken during the handshake and setup stages. If the user notices the connection at all, he or she, understandably, might also assume it was established securely.
The fix proposed by Gaynor in PEP 476 is straightforward. Python would attempt to verify the certificate presented by the server by querying the system's certificate database. Failure to locate the database would be handled by raising an exception. For situations where an unverified certificate should be trusted (e.g., a self-signed certificate, which would not be signed by a certificate in the system's database), developers (or users) would be able to manually modify their application to accept the certificate.
Earlier proposals had suggested bundling a certificate database into Python (specifically, Mozilla's). But relying on the system's database removes the necessity for Python maintainers to keep their copy of the database up to date, and it simplifies matters for corporate Python deployments that include internal CAs in their system databases.
Gaynor's original proposal suggested making the fix in both Python 3 and Python 2, although the specifics of that part of the plan later became a far more involved debate.
Defaults
The list participants were overwhelmingly in support of PEP 476, with one small caveat: the original PEP wording suggests that the change should be enacted immediately, changing the default behavior in the next Python release. Marc-Andre Lemberg, among others, pointed out that a transition plan would be wiser than introducing a backward-incompatible change without warning. He suggested adding certificate-validation failures as a warning in 3.5, then making them an exception in 3.6. In addition, he suggested making it possible to turn the validation behavior off with a command-line switch or environment variable, and perhaps making it possible to pass in certificates not in the system's trust store from the command line.
The primary justification for allowing such workarounds is that real-world Python applications tend not to be deployed in pristine network conditions: corporate intranets, embedded devices, and third-party content-delivery networks all routinely sport problematic security settings. Users may not be able to modify the Python code in question, nor to add certificates to the operating system's trust store. As Nick Coghlan observed, corporate intranets may be rife with internal servers running HTTPS because of company-wide edicts that have little connection to the intranet's real security needs.
In addition, Python developers have a real need to test their code with self-signed certificates at times. Providing a workaround allows the developer to test the application in more normal conditions—in essence, not triggering exceptions caused by the network environment. But in such cases, installing a self-signed certificate into the operating system's trust store is rarely the ideal approach.
Few parties in the discussion, however, thought that allowing validation checks to be bypassed by a command-line switch or environment variable was a safe approach. There are just too many ways such a feature could be exploited, not to mention the temptation that would exist for developers to misuse the switch and write code that depends on it.
Christian Heimes suggested one possible solution: making site-wide configuration for certificate validation possible through an "sslcustomize" module akin to the existing sitecustomize. It would allow corporate system administrators to properly configure machines for the vagaries of the intranet, as well as allow individual users to add a personal certificate store to the validation process (without necessarily modifying the platform's built-in certificate database). Heimes's plan seemed reasonable to others, although Coghlan eventually decided that it deserved to be written up as a separate PEP, since many of its potential uses are orthogonal to the specifics of PEP 476.
When to throw the switch
Implementing a flexible method for users to tweak SSL behavior to
fit the peculiarities of their network answers many of the questions
about how Python should transition to a validate-by-default
stance, but it does not address when such a change should be
rolled out. Donald Stufft argued in
favor of moving the change up from the 3.5 release to the next update
for 3.4, noting that "otherwise itβs going to be 2.5+ years
until we stop being unsafe by default.
"
Specifically, Stufft suggested introducing certificate-validation warnings in Python 3.4.2, and changing the default behavior (thus throwing exceptions for validation failures) in 3.5. Not everyone was on board with that time frame; Glyph Lefkowitz argued against the need for a one-cycle warning period, saying that Twisted implemented a similar fix in 14.0, without warning, and had literally received no complaints from its users.
At the crux of the timing question, of course, is determining what Python's responsibility is when users' code stops functioning because of an untrusted SSL/TLS certificate. The responsibility is crystal-clear when the untrusted certificate is actually a man-in-the-middle attack, of course: users need to be alerted to the security threat without delay. But things are more nebulous, again, when the corporate intranet deployment is considered.
The consensus that emerged was that Heimes's sslcustomize solution is viable for Python 3 users, but it soon became apparent that there was a push to backport the fix to Python 2 as well. As Coghlan pointed out, Python 2's status as a maintenance release mandates an even better migration strategy: introducing a break in backward-compatibility is a far worse move in an maintenance branch (particularly one with a large installed base).
Lefkowitz again advocated an
immediate switch-over, saying "this is not a break in backwards
compatibility, it's a bug fix. Yes, systems might break, but that
breakage represents an increase in security which may well be
operationally important.
" Antoine Pitrou disagreed with that notion, responding: "saying it
doesn't make it magically true. Besides, it can perfectly well be a
bug fix *as well as* a break in backwards compatibility. Which is why
we sometimes choose to fix bugs only in the feature development
branch.
"
There were, of course, several parties in each camp, which led to a rather lengthy discussion. Ultimately, though, the backport camp managed to convince Guido van Rossum, effectively ending the debate. Van Rossum decided that certificate validation by default should be backported to the next Python 2.7 release:
Heimes pointed out that the next 2.7 release (which would be numbered 2.7.8) was not a viable option, since there would not be any way to support a workaround for self-signed and intranet certificates. A fix for that issue is underway, but it will not land until Python 2.7.9. Van Rossum agreed, but reiterated his decision that the validate-by-default behavior should be ported to the next possible Python 2.7 update—that update will simply be one or two releases later.
As it stands now, then, the 3.4.2 release will issue warnings when an SSL/TLS certificate does not validate. In addition, 3.4.2 will add a simple workaround (described by Coghlan) for code needing to bypass certificate validation: urllib.request.urlopen() will support a new "SSL context" parameter with which developers can opt-in to the old behavior on a per-call basis. The exact details are still under discussion, naturally, but such a bypass operation might look like:
urllib.request.urlopen(context=ssl._create_unverified_context())
as one example described it. An officially recommended monkeypatching fix has also been discussed, which would be used to tweak application behavior. 3.5 will introduce the more full-featured sslcustomize module. "SSL Context" will also be added to Python 2.7.9 and, assuming that goes well, certificate validation could be switched on by default as early as 2.7.10.
In all likelihood, there will be users (and perhaps developers) whose first encounter with any of this work will be when they have a previously working Python application unexpectedly fail with a scary-looking exception about untrusted security certificates. Some of those exceptions will be fixable with workarounds, albeit frustrating ones. But the point of the whole endeavor is that there will be other exceptions, too: users who have been exposed to bad or even malicious SSL/TLS servers and simply never heard about it in the past.
Brief items
Security quotes of the week
So the only question any team of government executives working on defense needs to be thinking about is "How is this different from Anti-Virus in the long term? How can we avoid making that mistake ever again?" Because until you know how that mistake was made, and can avoid it for the next generation, "Emerging and Evolving" threats will always be beyond your power to stop.
The OpenSSL security policy
The OpenSSL project has posted a policy document describing how it intends to respond to security incidents. "There are actually not a large number of serious vulnerabilities in OpenSSL which make it worth spending significant time keeping our own list of vendors we trust, or signing framework agreements, or dealing with changes, and policing the policy. This is a significant amount of effort per issue that is better spent on other things."
New vulnerabilities
acpi-support: privilege escalation
| Package(s): | acpi-support | CVE #(s): | CVE-2014-0484 | ||||
| Created: | September 10, 2014 | Updated: | September 10, 2014 | ||||
| Description: | From the Debian advisory:
During a review for EDF, Raphael Geissert discovered that the acpi-support package did not properly handle data obtained from a user's environment. This could lead to program malfunction or allow a local user to escalate privileges to the root user due to a programming error. | ||||||
| Alerts: |
| ||||||
apache: access restriction bypass
| Package(s): | apache | CVE #(s): | CVE-2013-5704 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 5, 2014 | Updated: | August 4, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass RequestHeader unset directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states this is not a security issue in httpd as such. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
glibc: multiple vulnerabilities
| Package(s): | glibc | CVE #(s): | CVE-2012-6656 CVE-2014-6040 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 5, 2014 | Updated: | March 6, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Madriva advisory: When converting IBM930 code with iconv(), if IBM930 code which includes invalid multibyte character 0xffff is specified, then iconv() segfaults (CVE-2012-6656). Crashes were reported in the IBM code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) (CVE-2014-6040). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2014-0205 CVE-2014-3535 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2014 | Updated: | October 8, 2014 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way the Linux kernel's futex subsystem handled reference counting when requeuing futexes during futex_wait(). A local, unprivileged user could use this flaw to zero out the reference counter of an inode or an mm struct that backs up the memory area of the futex, which could lead to a use-after-free flaw, resulting in a system crash or, potentially, privilege escalation. (CVE-2014-0205) A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface. (CVE-2014-3535) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kernel: unspecified vulnerabilities
| Package(s): | kernel | CVE #(s): | |||||
| Created: | September 5, 2014 | Updated: | September 10, 2014 | ||||
| Description: | The Oracle advisory was marked as a security update but did not specify any vulnerabilities that it fixed. | ||||||
| Alerts: |
| ||||||
mariadb: multiple vulnerabilities
| Package(s): | mariadb | CVE #(s): | CVE-2014-4274 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 10, 2014 | Updated: | December 3, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla [1, 2]:
The MySQL 5.5.39 and 5.6.20 releases fix an unspecified MyISAM temporary file issue: "MyISAM temporary files could be used to mount a code-execution attack. (Bug #18045646)" The MySQL 5.5.39 and 5.6.20 releases fix an unspecified certificate decoding issue in yaSSL: "yaSSL code had an off-by-one error in certificate decoding that could cause buffer overflow." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
net-snmp: denial of service
| Package(s): | net-snmp | CVE #(s): | CVE-2014-3565 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 5, 2014 | Updated: | December 22, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Magei advisory: A remote denial-of-service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to crash (CVE-2014-3565). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
procmail: code execution
| Package(s): | procmail | CVE #(s): | CVE-2014-3618 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 5, 2014 | Updated: | September 25, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Boris 'pi' Piwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail's formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss, or possibly execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python-elixir: information leak
| Package(s): | python-elixir | CVE #(s): | CVE-2012-2146 | ||||||||
| Created: | September 10, 2014 | Updated: | September 10, 2014 | ||||||||
| Description: | From the CVE entry:
Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. | ||||||||||
| Alerts: |
| ||||||||||
webalizer: code execution
| Package(s): | webalizer | CVE #(s): | |||||
| Created: | September 10, 2014 | Updated: | September 10, 2014 | ||||
| Description: | From the Red Hat bugzilla:
A stack-based buffer overflow flaw was found in the way Webalizer, a flexible web server log file analysis program, performed import of its cache from certain tab files. A remote attacker could provide a specially-crafted tab file that, when imported would lead to wcmgr executable crash or, potentially, arbitrary code execution with the privileges of the user running the wcmgr binary. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>