Bug 132707

Created attachment 57770 [details]
1.5 design doc in ppt form

Created attachment 57771 [details]
crypto related doc

Created attachment 57772 [details]
Ref Guide

Created attachment 57773 [details]
Additional design doc

Attached docs that were used in the SRB process in Provo and might help with the audit.

Created attachment 57854 [details]
rats_output.txt

(rats output)

>>> Cameron Mashayekhi 10/21/2005 9:45:37 am >>>

Here is the buffer overflow analysis for CASA as required by the SRB.

Thanks,
Cameron

Created attachment 57855 [details]
rats_output.txt

(rats output)

http://www.mirrors.wiretapped.net/security/development/auditing/rats/

Created attachment 57856 [details]
flawfinder_output.txt

flawfinder output

http://www.dwheeler.com/flawfinder/

I'll look at it after the holidays.

I am on it...

Baber,
is there a description available for the protocol miCASA uses with client communicating via the unix domain socket?

We will have a written description available by EOD Monday.

Tschoe
-Baber

Created attachment 69131 [details]
CASA RPC verbs document

CASA RPC verbs document as requested in comment # 11.

Thanks.

Created attachment 71550 [details]
casa-report.pdf

Audit Report

Hello Baber,
I reassign it to you to handle further actions. Thanks.

Thanks Thomas, I will get the doc to the engineering team here.  We might ask you for guidance on some things.  Thanks for your help.

Tschoe
-Baber

Hello,
when the fixing of CASA is finished can you attach the relevant patches here please?

Hi Thomas, the fixes are going in as bug fixes and are in final test phase.  They should be checked in with the next build of CASA.  I will post final progress here.

Cheers
-Baber

>>> Thomas Biege <thomas@suse.de> 4/26/06 8:09 AM >>>
> These are all in version 1.6 slated for sled10.   I would like to
hear
> your recommendation as to whether we should create patches for the
1.5
> release also.  We did create one patch for 1.5 that fixed the buffer
> overflow, but are these significant enough to patch 1.5, or do we
see
> enough sled10 adoption/migration that CASA 1.5 which was in nld9 sp3
can
> be left un patched till the next service pack.  What is your
opinion?

Hi.

>From the report the following bugs should be patched: 5.2, 5.9, 4.3,
4.4

These bugs should be patched (online update) for the released products (NLD, OES).

for 4.4 only the FileStream() bug.

MaintenanceTracker-4404

Hi guys, what is a MaintenanceTracker?  I am not familiar with this or what to do with it?

-baber

You have to provide update packages for the affected products. We handle the rest. :)

I got some CVE numbers from Mitre (cve.mitre.org). Try to include them in changelogs and update texts to have a common cross-reference please.


>       + other users password storage can be accessed through links
>         to execute dictionary attack on corresponding  'master passcode'

CVE-2006-2619

>       + local user can mimic the CASA daemon to steal the 'master password'
>         from another user

CVE-2006-2620

>       + several possible buffer overflow that can be exploited locally

CVE-2006-2621

Are there still issues from the audit that still need to be implemented, thus requiring us to keep the defect open to track them.  Or can this defect be closed?

We will keep it open until we pushed out the update packes to our customers. That is the common procedure we use.

thomas@spiral:~> /work/src/bin/is_maintained CASA
Package is on CD sled10.i386
        Distribution: sles10-i386
        Distributionstring: SUSE-Linux-SLES-i386
        Marketing-Name: SUSE SLED 10 for x86
Package is on CD sled10.x86_64
        Distribution: sles10-x86_64
        Distributionstring: SUSE-Linux-SLES-x86-64
        Marketing-Name: SUSE SLED 10 for AMD64 and Intel EM64T
Package is on CD sles9-nld.i386
        Distribution: sles9-sld-i386
        Distributionstring: SLES9-SLD-i386
        Marketing-Name: Novell Linux Desktop 9 for x86
Package is on CD sles9-nld.x86_64
        Distribution: sles9-sld-x86_64
        Distributionstring: SLES9-SLD-x86_64
        Marketing-Name: Novell Linux Desktop 9 for x86_64
Package is on CD sles9-oes.i386
        Distribution: sles9-i386
        Distributionstring: Novell-Open-Enterprise-Server-i386
        Marketing-Name: Open Enterprise Server
thomas@spiral:~>

Are the updates submitted now?

We need sles9 and sles10 updates. TIA.

ping

Hello, someone?

We addressed all of the issues that were in the security review list. All of the fixes went into 1.6 and moving forward to 1.7. If you look at the CASA.changes file in autobuild all of the changes have been described and documented there. As it was mandated at the time we povided a patch to solve the critical buffer overflow defect in 1.5 to retrofit the product and the patch was shipped as well.

If there are any additional issues before our next security review for 1.7 that needs to be addressed then let us know..

-- Cameron

What about CASA 1.5 in sles9?

For SLES10 it seems to be fixed in the repository. But it is hard to spot because the CASA.changes file does not list this Bug-ID nor does it list a CVE-ID.

Was this fixed CASA 1.6 package part of a SLES10 ServicePack we released?

(In reply to comment #34)
> What about CASA 1.5 in sles9?

To clarify I looked at 
/work/SRC/old-versions/9.1/SLD/all/CASA/CASA.changes
and
/work/SRC/old-versions/9.1/SLES/arch/i386/CASA/CASA.changes

The patch is not mentioned there AFAICS.

The only buffer overflow listed there is:
-------------------------------------------------------------------
Wed Feb 15 14:45:22 MST 2006 - cmashayekhi@novell.com

- Bug 143940. pam_sscs.c patch for the buffer overflow applied to
  version 1.5.

-------------------------------------------------------------------

Is this the one you mean? This one has nothing to do with this bug/audit report.

You are correct. We were mandated to apply the audit patch requirements only to version 1.6 because the 1.5 was older version that was not in popular use and in a worst case scenario CASA 1.5 could be upgraded to 1.6 on an older OS. However, We were required to patch the critical buffer overflow bug that was reported to us by you that is the one you have listed here. We retrofitted the fix as a patch into version 1.5 because it was critical, and this was done right when we were going through with the security review when you performed the code review. 

--Cameron

Thanks for the answer.

> in a worst case scenario CASA 1.5 could be upgraded to 1.6 on an older OS.

How is this upgrade done.

If I write a security-advisory I can add this information there to inform customers about the problem.


> However, We were required to patch the critical buffer overflow bug that was
> reported to us by you that is the one you have listed here.
> We retrofitted the fix as a patch into version 1.5 because it was critical...

To avoid confusions can you directly point me to the buffer overflow bug you mean and the patch you applied?

BTW, what will be done with CASA 1.0 for SL 10.0? Was this code shipped?

And the most important question: Did we ever released fixes via a ServicePack?

I need to find out what really got fixed and for what SL version to provide updates for our customers.

Our builds (rpms) are available at:
http://forge.novell.com/modules/xfmod/project/?casa
for public download and use.

Installing 1.6 or newer might require some dependencies to be updated as well but when they start updating the rpm they will (rpm -Uvh) get prompted if they need to update anything.

On how the patch was released to 1.5 you need to contact Ruedieger Ortel(rudi@suse.com) he knows how that was delivered.

Our Build Manager Soo Choi will provide the patch build information separately.

Version 1.0 was only caching secrets for the session and did not have any advanced features that would require any of these patches.

--Cameron

The patch builds are the following and available at forge site.
CASA-1.5.305-0.i586.rpm 		
CASA-devel-1.5.305-0.i586.rpm 		
CASA-gui-1.5.305-0.i586.rpm

The changes are in svn r305
jnorman | 2006-02-15 13:51:17 -0700 (Wed, 15 Feb 2006) | 1 line
Changed paths:
   M /branches/Patch_1.5/login_capture/PAM/pam_sscs.c
Buffer overflow patch for NLD9

--Soo

Thanks for this information.

We need to push out the updates via YaST Online Update. An URL to our forge site is not what our customers expect.

Therefore my last question: Are the patches complete for the package of SLE(D)10 ? Especially the fixes for CVE-2006-2620 and CVE-2006-2621 are important (see comment#26).

I have to ask this so explicitly because these bugs are easy to exploit and it is not clear for me by reading the CASA.changes file if they are fixed or not.

(BTW, mentioning the Bug-ID and/or CVE-ID in the changes file would make this locatable more easily.)

from CASA.changes:

-------------------------------------------------------------------
Wed Apr 26 15:50:00 MDT 2006 - jnorman@novell.com

-	Security Audit Recap:	
-	Item 4.1, File: c_micasad/lss/Rfc2898DeriveBytes.c 
	1.	This item is awaiting licensing on a portable random number 
		generator received through a contribution to the the project.
-	Item 4.2 File: c_micasad/cache/KeyValue.c
	1.	Fix is in line 202 of the file. We improved XOR algorithm by 
		increasing the size of the key to equate the value.
-	Item 4.3 File: c_micasad/lss/LocalStorage.cs
	1.	Now files are checked for ownership before being removed. 
		New methods added and there are changes through out the file to support this.
-	Item 4.4 File: c_micasad/lss/CASACrypto.cs
	1.	IV fix will be checked in as soon as the item No. 1 above is approved.
	2.	For this item now we testing the file to make sure it is not a 
		symbolic link. (line 454, 455 in the file.)
	3.	This was a low priority item and we are investigating this.
	4.	This function was not used hence removed.
	5.	The default behavior of the file creation was modified to set the 
		rights at creation time.
-	Item 5.1 File: c_micasad/communication/UnixCommunication
	1.	This was fixed by checking to see if the root was not the owner 
		of the socket to remove the file.
-	Item 5.2 File: c_micasad/lib/communication/UnixIPCClientChannel.cs
	1.	This was fixed by validating the owner of the socket before use.
-	Item 5.3 File: c_micasad/lib/communication/UnixIPCClientChannel.cs
	1.	This was fixed by validating the buffer size before allocation of memory.
-	Item 5.4 File: c_micasad/lss/CASACrypto.cs
	1.	This was fixed by checking for minimum length.
	2.	We can't check for upper limit for memory for maximum file size because 
		we don't know how big the file can get. System will swap the pages out 
		of the cache if it gets big and those pages are fragments of the encrypted 
		cache. The original decrypted cache will be subject to garbage collection 
		by Mono or .Net. We have added the forced garbage collection after 
		finishing the decryption operation.
-	Item 5.5 File: c_micasad/verbs/ObjectSerializtion.cs
	1.	The memory size checks have been added to the code for validation.
-	Item 5.6 File: c_micasad/verbs/OpenSecretStore.cs
	1.	The buffer size validation is added.
	2.	MsgId 0x1001 is not correct.
-	Item 5.7 File: c_micasad/verbs/SetMasterPasscode.cs
	1.	The buffer size validation is added.
-	Item 5.8 File: c_micasad/common/SessionManager.cs
	1.	We are running as root so $PATH is root's $PATH.
	2.	We can go through he while loop twice that is the reason we used the loop.
-	Item 5.9 File: c_micasad/sscs_ndk.c
	1.	All of the instances of  strcpy, strcmp, strcat, strlen, were replaced 
		with strncpy, strncmp, strncat and strlen was eliminated. 
	2.	TheUtf8 macros were modified to force a null at the end of the string 
		buffer where the length was declared.
	3.	All of the buffer lengths for upper bounds are being validated before use.
	4.	sscsshs_ChkEscapeString was fixed.
-	Item 5.10 File: auth_token/kbr5_token/linux/get.c
	1.	This file is not build as a part of CASA 1.6 yet and is supposed to be 
		completed and shipped in CASA 1.7. The fix will be applied later.
-	Item 5.11 File: c_micasacache/sscs_ipc
	1.	Handling of the end files has been added to the code.
-	Item 5.12 File: c_micasacache/sscs_unx_ipc_client.c
	1.	Tokenize function has been fixed.
	2.	Validation of the buflen is added where applicable.
-	Item 5.13 File: c_adlib/ad_gk/native.c
	1.	The validation of the buffer length has been added to the code.

-------------------------------------------------------------------

unfortunately not all bugs are fixed properly. more on this later (new audit report)

Thomas,

Is possible to get a set of defects assigned for whats needed to be fixed in addition to your audit report? This would be useful for tracking them and fixing them.

That comment #26 is not specific to what these issues have been is it possible to get a more specific description on the problem, are they going to be in your report?

Thanks,
Cameron

(In reply to comment #43)
> Thomas,
> 
> Is possible to get a set of defects assigned for whats needed to be fixed in
> addition to your audit report? This would be useful for tracking them and
> fixing them.

Regarding CASA 1.6 all defects I found are in the report.

For CASA/CASA_auth_token 1.7 all defects I'll find will be in the report attached to bug #222012. But I am not done yet.


> That comment #26 is not specific to what these issues have been is it possible
> to get a more specific description on the problem, are they going to be in your
> report?

They are in the report I attached here.

excerpt:
- CVE-2006-2619: is not fixed. using /home/.casa/<username> does not help. but the "attack window" is narrowed

- CVE-2006-2620: seems to be fixed but I need to verify it (maybe there is a "race condition")

- CVE-2006-2621: seems to be fixed, except for one or two cases.

Not all (but most) bugs mentioned in comment #41 are fixed. The complete list will be in the new audit report. For example, the salt generation for passwords is still vulnerable to a code book attack... but now the attack can be prepared 15 times faster.


 

Since we have two defects open for this I am marking this as a dupliate for bug 222012 and close it so we can continue tracking the progress in the other defect.

Thanks,
Cameron

*** This bug has been marked as a duplicate of bug 222012 ***