Skip to content

1.5.3: The "NCSC release"
Compare
Choose a tag to compare
@ydahhrk ydahhrk released this 09 Nov 14:24
1.5.3
This tag was signed with the committer’s verified signature.
ydahhrk Alberto Leiva Popper
GPG key ID: 72160FD57B242967
Learn about vigilant mode.
8f33392
This commit was signed with the committer’s verified signature.
ydahhrk Alberto Leiva Popper
GPG key ID: 72160FD57B242967
Learn about vigilant mode.

This release also contains security patches. Upgrading is strongly recommended.

1.5.3 addresses the security vulnerabilities recently disclosed by the NCSC:

Here are the details:

E: Infinite drip-feeding

Problem description:

The data in a repository has a certain size, and the repository and client can handle a certain bandwidth. The speed to download the data from a repository can vary greatly. A repository can abuse this by hosting quite a lot of data, and providing that data at a speed of, for example, 3 bytes per second. Some RP software requires a minimum bandwidth, or has a maximum transfer time, but there is software that would wait for all data to be transmitted, even if that would take several weeks.

FORT used to have a buggy defense against this.

--http.idle-timeout simultaneously controlled both CURLOPT_LOW_SPEED_LIMIT and CURLOPT_LOW_SPEED_TIME, but it did so clumsily. In pseudocode,

CURLOPT_LOW_SPEED_LIMIT = --http.idle-timeout
CURLOPT_LOW_SPEED_TIME = (--http.idle-timeout != 0) ? 1 : 0

The new code introduces two new flags. In pseudocode:

CURLOPT_LOW_SPEED_LIMIT = --http.low-speed-limit [2]
CURLOPT_LOW_SPEED_TIME = --http.low-speed-time [3]

--http.low-speed-limit defaults to 100 KB/s, and --http.low-speed-time defaults to 10 seconds.

L: Repository serves fake large files

Here I did something quite simple: what if I just serve a lot of data? Luckily, the RRDP protocol allows for the specification of absolute URIs, so I linked that to a large file usually used as a speedtest hosted externally. The contents of the file are random, and contain nothing useful. Some implementations went out of memory, some ignored the file.

rsync calls now include --max-size=20MB by default.

For RRDP, FORT introduces --http.max-file-size. It defaults to 1 GB. (Because of large and growing legitimate RRDP snapshots.)

O: Repository tricks the RP to write files outside of the cache directory

The last test I created was again regarding paths and filesystems. On most UNIX-based systems, there are two special folders in each folder: "." and "..". The former to stay in the current folder, and the latter to go one folder up. Thus I wondered: can I somehow make the RP software write files outside the directories they are supposed to end up in, by using a path rsync://example.org/../../etc/not-a-virus? Most RP software rejected the path, but some did write files to random folders.

Fixed by implementing RFC 6486bis, section 4.2.2. The file validation is much stricter.

With the exception of H, J and K, FORT was found to be resilient against the other attack vectors the research proposed. H, J and K solutions have been postponed, because patching them properly requires IETF intervention.

Assets 10
Loading