Bug 1027520 (CVE-2017-6410)

Summary: VUL-0: CVE-2017-6410: kdelibs4: kio: Information Leak when accessing https when using a malicious PAC file
Product: [Novell Products] SUSE Security Incidents Reporter: Fabian Vogt <fabian>
Component: IncidentsAssignee: Antonio Larrosa <alarrosa>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, mikhail.kasimov, opensuse-kde-bugs, wbauer
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2017-6410:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-6410:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2017-6410:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2017-6410:5.3:(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Fabian Vogt 2017-03-01 20:36:46 UTC
42.2 and 42.1 are affected

From: https://www.kde.org/info/security/advisory-20170228-1.txt

KDE Project Security Advisory
=============================

Title:          kio: Information Leak when accessing https when using a malicious PAC file
Risk Rating:    Medium
CVE:            TBC
Versions:       kio < 5.32, kdelibs < 4.14.30
Date:           28 February 2017


Overview
========
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

Solution
========
Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released)

Or apply the following patches:
    kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559

Credits
=======
Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
and Amit Klein.
Comment 1 Wolfgang Bauer 2017-03-01 21:28:06 UTC
Isn't this the same as bug#1027309 though?
Comment 2 Fabian Vogt 2017-03-01 21:33:51 UTC
(In reply to Wolfgang Bauer from comment #1)
> Isn't this the same as bug#1027309 though?

Indeed! I couldn't find it as I searched for kio.
I'll just make the other one a duplicate of this as I already
used this bug no# in all changes entries...
Comment 3 Fabian Vogt 2017-03-01 21:36:06 UTC
*** Bug 1027309 has been marked as a duplicate of this bug. ***
Comment 4 Bernhard Wiedemann 2017-03-01 23:01:04 UTC
This is an autogenerated message for OBS integration:
This bug (1027520) was mentioned in
https://build.opensuse.org/request/show/461717 Factory / kdelibs4
https://build.opensuse.org/request/show/461718 Factory / kio
Comment 5 Marcus Meissner 2017-03-02 06:51:14 UTC
it would have been better to use the secrity tracker bug. 

but well, i just made this one the tracker bug for this issue.
Comment 6 Marcus Meissner 2017-03-02 07:11:42 UTC
Fabian, if you are opening a security bug on your own, feel free to add VUL-0 in front of the summary, so our scripts will see it and we can process it.
Comment 7 Bernhard Wiedemann 2017-03-02 09:00:59 UTC
This is an autogenerated message for OBS integration:
This bug (1027520) was mentioned in
https://build.opensuse.org/request/show/461793 42.1 / kdelibs4+kio
https://build.opensuse.org/request/show/461794 42.2 / kdelibs4+kio
Comment 8 Marcus Meissner 2017-03-02 10:32:57 UTC
CVE-2017-6410 was assigned
Comment 9 Andreas Stieger 2017-03-03 19:31:44 UTC
Can I point out that KDE packages are maintained in the package hub?
I may be mistaken, but this is not the first security fix that was submitted for Leap but not the package hub. And this seems to happen in particular with projects that do not use mbranch but submit from "devel" projects.

To check what is maintained, see:
osc maintained kio
osc maintained kdelibs4

Applies for all:
https://build.opensuse.org/request/show/476826
Comment 10 Fabian Vogt 2017-03-03 19:39:34 UTC
(In reply to Andreas Stieger from comment #9)
> Can I point out that KDE packages are maintained in the package hub?
> I may be mistaken, but this is not the first security fix that was submitted
> for Leap but not the package hub. And this seems to happen in particular
> with projects that do not use mbranch but submit from "devel" projects.
> 
> To check what is maintained, see:
> osc maintained kio
> osc maintained kdelibs4
> 
> Applies for all:
> https://build.opensuse.org/request/show/476826

I always thought that openSUSE backports would inherit the fixes.
Reassigning to antlarr.
Comment 11 Swamp Workflow Management 2017-03-13 14:24:56 UTC
openSUSE-SU-2017:0677-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027520
CVE References: CVE-2017-6410
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    kdelibs4-4.14.18-6.2, kdelibs4-4.14.25-5.3, kdelibs4-apidocs-4.14.18-6.2, kdelibs4-apidocs-4.14.25-5.3, kio-5.20.0-6.2, kio-5.26.0-5.1
Comment 12 Swamp Workflow Management 2017-03-13 14:25:52 UTC
openSUSE-SU-2017:0680-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1027520
CVE References: CVE-2017-6410
Sources used:
openSUSE Leap 42.2 (src):    kdelibs4-4.14.25-5.2, kdelibs4-apidocs-4.14.25-5.2, kio-5.26.0-6.2
openSUSE Leap 42.1 (src):    kdelibs4-4.14.18-15.2, kdelibs4-apidocs-4.14.18-15.2, kio-5.21.0-23.2
Comment 13 Antonio Larrosa 2017-06-07 11:47:25 UTC
The patch was submitted to Backports so I'm closing this.