Bug 1050625 - (CVE-2017-9271) VUL-1: CVE-2017-9271: zypper: proxy credentials written to log files
(CVE-2017-9271)
VUL-1: CVE-2017-9271: zypper: proxy credentials written to log files
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Other
: P4 - Low : Normal
: unspecified
Assigned To: Michael Andres
Security Team bot
CVSSv2:SUSE:CVE-2017-9271:1.9:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-26 10:09 UTC by Mario Biberhofer
Modified: 2021-03-25 23:16 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
abergmann: needinfo? (ma)


Attachments
CVE-2017-9271.json (1.55 KB, text/plain)
2018-03-01 12:22 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mario Biberhofer 2017-07-26 10:09:43 UTC
During the installation of OpenSUSE 42.3 behind a proxy server it was noted that the installer seems to leak proxy information, including user name *and* password by encoding it into the repo-url:

> Download (curl) error for 'http://download.opensuse.org/distribution/leap/42.3/repo/oss/content?proxy=XXX&proxyport=YYYY&proxyuser=ZZZ&proxypass=WWW':
> Error code: HTTP response: 407

I sincerely hope that zypper extracts the information and does not transmit this it for real -- does that thought is dubiously optimistic?

I'd be happy to see someone saying that I'm completely wrong here and that everything's fine. Otherwise I really have to think about *why* this information is encoded in the first place.
Comment 1 Andreas Stieger 2017-07-26 10:14:33 UTC
Checking it out...
Comment 3 Mario Biberhofer 2017-07-26 10:31:24 UTC
Phew. That's one ugly way to store proxy information on a per-repository base. In my case, my proxy server takes my domain login as credentials.

I guess it's 'fine'(i.e. ugly as it usually is to use proxy credentials) then. At least from a security perspective, as the credential information always gets exposed via an environment variable. Maybe a different, way less shocking way to do  the same should be implemented. :-)
Comment 4 Michael Andres 2017-07-26 11:17:15 UTC
Well, it not really 'fine' as the proxypasswd is visible in the logfile. The logfiles may be collected and attached to bugreports, so they may easily escape the local storage. We should try to avoid this.
Comment 5 Andreas Stieger 2017-07-26 11:23:27 UTC
So this would be CVE-532: Information Exposure Through Log Files
https://cwe.mitre.org/data/definitions/532.html
Comment 6 Mario Biberhofer 2017-07-26 11:35:18 UTC
(In reply to Michael Andres from comment #4)
> Well, it not really 'fine' as the proxypasswd is visible in the logfile. The
> logfiles may be collected and attached to bugreports, so they may easily
> escape the local storage. We should try to avoid this.

Granted, I didn't had this part in mind. Thanks for the update.
Comment 7 Johannes Segitz 2017-07-26 12:35:58 UTC
This is tracked via CVE-2017-9271
Comment 8 Johannes Segitz 2017-07-26 12:40:23 UTC
Michael, is this new behavior or do we have that issue for all products in support?
Comment 9 Michael Andres 2017-07-26 13:52:27 UTC
This happens in all products.

The Url class per default hides a password in the authority ('user@host' rather than 'user:passwd@host'). But the query part is printed as it is. At the time the class was created, no one expected passwords to be stored in the query part.
Comment 12 Marcus Meissner 2018-03-01 12:22:50 UTC
Created attachment 762308 [details]
CVE-2017-9271.json

mitre upload
Comment 13 Marcus Meissner 2018-10-19 05:20:37 UTC
are we planning on fixing this?
Comment 14 Michael Andres 2018-10-22 11:16:44 UTC
(In reply to Marcus Meissner from comment #13)
> are we planning on fixing this?

yes, I'm currently working on it.
Comment 24 Swamp Workflow Management 2021-01-13 14:32:04 UTC
SUSE-SU-2021:0109-1: An update that solves one vulnerability and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909
CVE References: CVE-2017-9271
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libzypp-17.25.5-3.25.6, yast2-installation-4.2.48-3.16.1, zypper-1.14.41-3.14.10
SUSE Linux Enterprise Installer 15-SP2 (src):    libzypp-17.25.5-3.25.6, yast2-installation-4.2.48-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2021-01-14 20:15:50 UTC
openSUSE-SU-2021:0059-1: An update that solves one vulnerability and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909
CVE References: CVE-2017-9271
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libzypp-17.25.5-lp152.2.16.1, yast2-installation-4.2.48-lp152.2.12.1, zypper-1.14.41-lp152.2.12.1
Comment 29 Swamp Workflow Management 2021-03-11 23:17:36 UTC
SUSE-SU-2021:0770-1: An update that solves one vulnerability and has 15 fixes is now available.

Category: security (moderate)
Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179847,1179909,1181328,1181622,1182629
CVE References: CVE-2017-9271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1
SUSE Linux Enterprise Server 15-LTSS (src):    libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1
SUSE Linux Enterprise Installer 15 (src):    libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libsolv-0.7.17-3.40.1, libzypp-17.25.8-3.66.1, yast2-installation-4.0.77-3.22.5, zypper-1.14.43-3.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2021-03-25 23:16:57 UTC
SUSE-SU-2021:0956-1: An update that solves one vulnerability, contains one feature and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629
CVE References: CVE-2017-9271
JIRA References: SLE-8482
Sources used:
SUSE Manager Server 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Manager Retail Branch Server 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Manager Proxy 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Installer 15-SP1 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Enterprise Storage 6 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE CaaS Platform 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.