|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2017-9271: zypper: proxy credentials written to log files | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Mario Biberhofer <m.biberhofer> |
| Component: | Incidents | Assignee: | Michael Andres <ma> |
| Status: | REOPENED --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | abergmann, astieger, atoptsoglou, ma, maint-coord, meissner, security-team, zypp-maintainers |
| Version: | unspecified | Flags: | abergmann:
needinfo?
(ma) |
| Target Milestone: | unspecified | ||
| Hardware: | All | ||
| OS: | Other | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2017-9271:1.9:(AV:L/AC:M/Au:N/C:P/I:N/A:N) CVSSv3:SUSE:CVE-2017-9271:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) maint:planned:update | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | CVE-2017-9271.json | ||
Checking it out... The parameters are used in local storage only, and are cleared prior to hitting the network: https://github.com/openSUSE/libzypp/blob/master/zypp/media/MediaCurl.cc#L583-L606 https://github.com/openSUSE/libzypp/blob/master/zypp/media/MediaCurl.cc#L1195-L1200 https://github.com/openSUSE/libzypp/blob/master/zypp/media/MediaCurl.cc#L1499-L1504 Phew. That's one ugly way to store proxy information on a per-repository base. In my case, my proxy server takes my domain login as credentials. I guess it's 'fine'(i.e. ugly as it usually is to use proxy credentials) then. At least from a security perspective, as the credential information always gets exposed via an environment variable. Maybe a different, way less shocking way to do the same should be implemented. :-) Well, it not really 'fine' as the proxypasswd is visible in the logfile. The logfiles may be collected and attached to bugreports, so they may easily escape the local storage. We should try to avoid this. So this would be CVE-532: Information Exposure Through Log Files https://cwe.mitre.org/data/definitions/532.html (In reply to Michael Andres from comment #4) > Well, it not really 'fine' as the proxypasswd is visible in the logfile. The > logfiles may be collected and attached to bugreports, so they may easily > escape the local storage. We should try to avoid this. Granted, I didn't had this part in mind. Thanks for the update. This is tracked via CVE-2017-9271 Michael, is this new behavior or do we have that issue for all products in support? This happens in all products.
The Url class per default hides a password in the authority ('user@host' rather than 'user:passwd@host'). But the query part is printed as it is. At the time the class was created, no one expected passwords to be stored in the query part.
Created attachment 762308 [details]
CVE-2017-9271.json
mitre upload
are we planning on fixing this? (In reply to Marcus Meissner from comment #13) > are we planning on fixing this? yes, I'm currently working on it. SUSE-SU-2021:0109-1: An update that solves one vulnerability and has 11 fixes is now available. Category: security (moderate) Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909 CVE References: CVE-2017-9271 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libzypp-17.25.5-3.25.6, yast2-installation-4.2.48-3.16.1, zypper-1.14.41-3.14.10 SUSE Linux Enterprise Installer 15-SP2 (src): libzypp-17.25.5-3.25.6, yast2-installation-4.2.48-3.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2021:0059-1: An update that solves one vulnerability and has 11 fixes is now available. Category: security (moderate) Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909 CVE References: CVE-2017-9271 JIRA References: Sources used: openSUSE Leap 15.2 (src): libzypp-17.25.5-lp152.2.16.1, yast2-installation-4.2.48-lp152.2.12.1, zypper-1.14.41-lp152.2.12.1 SUSE-SU-2021:0770-1: An update that solves one vulnerability and has 15 fixes is now available. Category: security (moderate) Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179847,1179909,1181328,1181622,1182629 CVE References: CVE-2017-9271 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1 SUSE Linux Enterprise Server 15-LTSS (src): libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1 SUSE Linux Enterprise Installer 15 (src): libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2021:0956-1: An update that solves one vulnerability, contains one feature and has 18 fixes is now available. Category: security (moderate) Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629 CVE References: CVE-2017-9271 JIRA References: SLE-8482 Sources used: SUSE Manager Server 4.0 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Manager Retail Branch Server 4.0 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Manager Proxy 4.0 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Linux Enterprise Installer 15-SP1 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE Enterprise Storage 6 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 SUSE CaaS Platform 4.0 (src): libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |
During the installation of OpenSUSE 42.3 behind a proxy server it was noted that the installer seems to leak proxy information, including user name *and* password by encoding it into the repo-url: > Download (curl) error for 'http://download.opensuse.org/distribution/leap/42.3/repo/oss/content?proxy=XXX&proxyport=YYYY&proxyuser=ZZZ&proxypass=WWW': > Error code: HTTP response: 407 I sincerely hope that zypper extracts the information and does not transmit this it for real -- does that thought is dubiously optimistic? I'd be happy to see someone saying that I'm completely wrong here and that everything's fine. Otherwise I really have to think about *why* this information is encoded in the first place.