Security vulnerability: missing SSL hostname validation #339
Comments
Ideally, this should be addressed upstream in eventmachine core.. @sodabrew any thoughts on that? As an interim solution we could merge Faraday implementation into em-http. @agustingianni could you confirm that faraday implementation addresses the issue? |
|
CVE-2020-13482 has been assigned to this issue. Ilya, let me know when you are ready for me to test the Faraday changes and I will give it a sping. |
|
I'd be glad to upstream that, thanks for calling it out! |
|
@sodabrew great, I think that would be the best path forward and help resolve and prevent this same issue across a number of different libraries and services using EM. @agustingianni in theory you should be able to test with.. require 'rubygems'
require 'eventmachine'
require 'em-http'
## copy local instance from https://github.com/lostisland/faraday/commit/63cf47c95b573539f047c729bd9ad67560bc83ff#diff-2ffbfc9e78f3db69aad38b56f7decad1
require 'em_http_ssl_patch.rb'
urls = ARGV
if urls.size < 1
puts "Usage: #{$0} <url> <url> <...>"
exit
end
pending = urls.size
EM.run do
urls.each do |url|
http = EM::HttpRequest.new(url).get
http.callback {
puts "#{url}\n#{http.response_header.status} - #{http.response.length} bytes\n"
puts http.response
pending -= 1
EM.stop if pending < 1
}
http.errback {
puts "#{url}\n" + http.error
pending -= 1
EM.stop if pending < 1
}
end
end |
|
Fantastic, I will give it a try and will get back at you. Thank you. |
|
So I made some changes to actually trigger the validation code, basically I added I would advice to change the default value to Thank you all for addressing this issue, I think this will help This is the client I used for testing: require 'rubygems'
require 'eventmachine'
require 'em-http'
## copy local instance from https://github.com/lostisland/faraday/commit/63cf47c95b573539f047c729bd9ad67560bc83ff#diff-2ffbfc9e78f3db69aad38b56f7decad1
require './em_http_ssl_patch.rb'
urls = ARGV
if urls.size < 1
puts "Usage: #{$0} <url> <url> <...>"
exit
end
pending = urls.size
EM.run do
urls.each do |url|
http = EM::HttpRequest.new(url, ssl: {verify_peer: true}).get
http.callback {
puts "#{url}\n#{http.response_header.status} - #{http.response.length} bytes\n"
puts http.response
pending -= 1
EM.stop if pending < 1
}
http.errback {
puts "#{url}\n" + http.error
pending -= 1
EM.stop if pending < 1
}
end
end |
Closes #339, CVE-2020-13482 Credit to Mislav Marohnić for original implementation, merged from Faraday.
|
@agustingianni PR live that should, I believe, address the issue. I added an explicit warning that will get logged to STDERR if verify_peer is not set to true. Can you do another sanity check and confirm that it's working as intended, before I merge? @sodabrew alternatively, would it make sense to merge this or similar logic into EM core? |
|
Hello, yes of course. I will test it now and report back. |
|
LGTM! Thank you for fixing this! |
Closes #339, CVE-2020-13482 Credit to Mislav Marohnić for original implementation, merged from Faraday.
|
1.1.6 should be live on rubygems now, with this merged. Thanks again for the report and your help! |
fixes ConradIrwin#25 Based on: lostisland/faraday@63cf47c igrigorik/em-http-request#339 ** missing file
- igrigorik/em-http-request#339 - upgrade gems - require ruby 2.3 - bump to v2.1.0
ghost
mentioned this issue
Before this patch, ssl peers where not validated unless custom certificate were provided. This led to less strict security and annoying warnings from em-http library. See igrigorik/em-http-request#339. Now we properly take tls_verify_peer option (defaults to true) in consideration. This should increase security. Change-Id: I3620aa3de63e20976a204be45bce013d816acc52
Before this patch, ssl peers where not validated unless custom certificate were provided. This led to less strict security and annoying warnings from em-http library. See igrigorik/em-http-request#339. Now we properly take tls_verify_peer option (defaults to true) in consideration. This should increase security. Change-Id: I3620aa3de63e20976a204be45bce013d816acc52
GitHub Security Lab (GHSL) Vulnerability Report:
GHSL-2020-094Summary
Missing hostname validation allows an attacker to perform a man in the middle attack against users of the library.
Product
em-http-request
Tested Version
1.1.5
Missing SSL/TLS certificate hostname validation
em-http-request uses the library eventmachine in an insecure way that allows an attacker to perform a man in the middle attack against users of the library.
Impact
An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.
Remediation
Implement hostname validation.
Resources
To trigger the vulnerability, a simple TLS enabled listening daemon is sufficient as described in the following snippets.
Create a sample client with the following contents:
Run the example client to see a connection being performed in the listening daemon initialized in the previous steps.
$ ruby em-http-request-client.rb "https://test.coinbase.com"References
CWE-297: Improper Validation of Certificate with Host Mismatch
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.
Credit
This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).
The text was updated successfully, but these errors were encountered: