Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: sni hostname is not verified #6212

Closed
muffins opened this issue Jan 29, 2020 · 2 comments · Fixed by #6197
Closed

tls: sni hostname is not verified #6212

muffins opened this issue Jan 29, 2020 · 2 comments · Fixed by #6197
Labels
bug security
Milestone
4.2.0

Comments

@muffins
Copy link
Contributor

muffins commented Jan 29, 2020
edited
Loading

Bug report

Because osquery does not correctly verify the TLS SNI hostname, it may be possible to present a valid certificate for a different TLS endpoint and, in the absence of a configured root chain of trust in osquery, MitM osquery traffic.

What operating system and version are you using?

This bug impacts all operating systems leveraging the TLS plugin

What version of osquery are you using?

This bug looks to impact versions of osquery >= 2.10.0 through 4.1.2

$ apt-cache show osquery | head -n20
Architecture: amd64
Depends: libc6 (>=2.12), zlib1g
Description: osquery is an operating system instrumentation toolchain.
Description-md5: 2a4e0eb035860a3cbfe12237817e68c5
Homepage: https://osquery.io
Maintainer: osquery@osquery.io
Package: osquery
Priority: extra
Section: default
Version: 4.1.2-1.linux
Installed-Size: 54239
Filename: pool/deb/main/o/osquery/osquery_4.1.2-1.linux_amd64.deb
MD5sum: cc1064ec6fd9cb4c90d3cc91f062233b
SHA1: d6474b01dbdc47bf15bb82e349710e4328d16144
SHA256: 87fb9019dc7469baf4beb74ae9267bb2cf4855d943d089db1b4addf22974a076
SHA512: f3beda39a92ce08128f3e3a6b0ff9605453cc7ec03cf4f7badc9308f3f2593b891b1ed1d9b9de465cf3a35e3871286b0bc294bd071491bbfa7a21746773980a9
Size: 9705630

What steps did you take to reproduce the issue?

hashicorp/bionic64 vagrant box
osquery 4.1.2 from upstream repo
Certs generated on the fly:
    Echo server using /logger using leaf
    Osquery client given tls_server_certs path to root
Osquery client sending logs:
$ wc -l /tmp/osquery-test.log
389 /tmp/osquery-test.log
Jan 22 21:20:48 vagrant osqueryd[15177]: I0122 21:20:48.295653 15215 tls.cpp:253] TLS/HTTPS POST request to URI: https://localhost:1337/logger
$ curl --cacert /tmp/root_ca.cert.pem https://localhost:1337
curl: (51) SSL: certificate subject name 'osquery-test-ca Intermediate CA' does not match target host name 'localhost'
$ sudo cat /etc/osquery/osquery.flags
--disable_extensions=false
--disable_enrollment=true
--extensions_timeout=10
--extensions_interval=10
--extensions_autoload=/etc/osquery/extensions.load
--disable_tables=process_env
--database_path=/var/osquery/osquery.db/
--disable_watchdog=true
--extensions_default_index=false
    "options": {
        "audit_allow_config": "false",
        "audit_allow_fim_events": "false",
        "audit_allow_fork_process_events": "false",
        "audit_allow_process_events": "false",
        "audit_allow_selinux_events": "false",
        "audit_allow_sockets": "false",
        "audit_allow_user_events": "false",
        "audit_backlog_limit": "4096",
        "audit_backlog_wait_time": "0",
        "audit_force_reconfigure": "false",
        "audit_persist": "false",
        "buffered_log_max": "1000000",
        "database_path": "/var/osquery/osquery.db",
        "disable_audit": "true",
        "disable_enrollment": "true",
        "disable_events": "true",
        "disable_logging": "false",
        "enable_syslog": "false",
        "events_expiry": "1",
        "events_max": "100000",
        "events_optimize": "true",
        "logger_min_status": "1",
        "logger_plugin": "tls",
        "logger_tls_endpoint": "/logger",
        "logger_tls_period": "1",
        "read_max": "52428800",
        "tls_hostname": "localhost:1337",
        "tls_server_certs": "/tmp/root_ca.cert.pem",
        "utc": "false"
    },
Server cert:
$ openssl x509 -in /tmp/ca.cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            75:c1:7e:0b:76:25:7c:ae:84:da:c7:3d:78:ab:52:7d:f5:23:af:e2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = osquery-test-ca Root CA
        Validity
            Not Before: Jan 22 21:13:04 2020 GMT
            Not After : Jan 21 21:13:04 2021 GMT
        Subject: CN = osquery-test-ca Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:79:52:ec:b4:c2:c6:ee:06:66:92:b1:4a:f9:
                    4e:2b:26:02:63:47:c3:63:13:60:fa:13:97:11:a6:
                    b7:4c:a0:50:58:3b:78:4c:54:96:d6:76:f3:eb:f5:
                    b7:db:09:ed:ce:e8:f3:65:d5:b2:3d:4b:14:f0:dd:
                    37:4c:59:37:41:37:12:cc:ef:70:e8:4f:05:72:e9:
                    f3:96:9e:e1:77:9c:1b:f0:26:17:d3:55:00:97:a6:
                    72:03:95:a8:09:4c:f3:81:57:37:f7:d8:1a:a3:ec:
                    da:60:b4:51:5c:2c:bb:4d:93:01:26:69:c4:c9:b6:
                    83:a3:ce:4b:26:82:e2:1f:d7:2e:1f:eb:bc:a3:ad:
                    c3:08:29:94:51:47:6c:c7:ca:92:40:25:ca:1b:8b:
                    3d:9e:a8:4f:d2:5b:cf:b8:a0:28:32:9b:79:36:5f:
                    bc:3b:71:62:03:dc:fd:1b:83:54:06:0e:95:8d:3b:
                    ca:80:60:2c:62:17:b1:75:cb:3a:7d:b3:15:74:87:
                    0c:4d:38:fc:09:79:5e:63:4e:14:a2:28:5f:6c:de:
                    f5:0c:3b:2d:dd:a4:43:1f:40:65:3b:7f:b3:7c:40:
                    c7:3f:57:81:45:e0:cc:a9:c6:86:31:84:19:9a:57:
                    f3:50:2c:e2:7a:5c:df:5d:7a:e7:ec:8d:ac:a7:5d:
                    ef:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         6b:f9:7b:cf:57:20:5e:32:bd:67:85:ad:83:1b:99:ad:bb:f1:
         87:b8:40:3d:2c:5c:8d:b3:87:30:62:32:47:51:8f:37:3a:db:
         a9:6d:a0:09:66:ee:bf:2b:bf:d3:5d:c7:80:6a:5d:9e:db:c3:
         d0:9a:33:47:4e:a0:83:21:12:5c:a2:84:a3:8c:ca:a2:0e:29:
         2b:58:0b:ec:67:e0:05:d6:19:03:e7:4a:53:2b:ec:60:dc:3a:
         bc:07:62:cf:62:89:f0:f0:82:c8:ab:92:d2:42:50:c2:5c:c1:
         5f:19:c7:c5:ac:b3:37:94:e7:56:bf:bf:73:6a:45:e6:1c:dd:
         b9:72:95:05:fd:c0:e1:d5:69:ea:7b:cb:3f:7f:89:e4:81:b7:
         22:20:27:23:eb:88:93:d1:90:48:bf:b5:fd:42:14:37:5d:7d:
         d5:70:83:1e:35:db:7b:4a:45:b0:aa:d6:0b:34:2a:62:96:08:
         9c:39:c7:12:ee:4b:a8:f3:46:c8:5a:2b:51:31:7c:41:1c:f5:
         44:bb:d1:51:d0:dd:f1:69:c9:ba:3c:14:41:76:d6:eb:87:b1:
         72:d5:13:39:3c:8d:c3:66:96:b3:51:d9:f8:f8:a5:a2:e8:df:
         56:99:f0:cd:30:bf:ea:ec:5a:74:a2:48:81:69:26:6f:3a:09:
         89:14:98:b2
$ openssl x509 -in /tmp/root_ca.cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            07:3f:94:58:91:aa:ea:b0:29:02:81:79:79:8d:c5:1f:ac:2c:33:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = osquery-test-ca Root CA
        Validity
            Not Before: Jan 22 21:13:04 2020 GMT
            Not After : Jan 21 21:13:04 2021 GMT
        Subject: CN = osquery-test-ca Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a3:f7:ac:28:a5:d7:1a:04:81:c9:c1:ff:9d:51:
                    b7:2d:1c:9f:fd:34:49:5e:dd:fc:98:3e:7d:3c:28:
                    c0:d7:6e:34:ea:d7:6e:56:50:66:e6:53:d6:b4:8c:
                    e3:13:93:1a:a2:76:9e:7e:63:e2:56:97:39:c2:33:
                    66:9d:96:09:b0:98:65:c5:57:6b:bd:94:8f:ba:97:
                    63:01:5d:19:50:15:86:72:db:51:0b:36:6b:06:83:
                    47:ad:17:f3:8a:ec:96:76:6b:bf:41:26:61:b7:9e:
                    99:1a:94:7c:61:a2:53:9e:88:6a:82:de:6d:12:c0:
                    88:be:6c:d8:f6:c7:18:e1:9f:9d:a9:47:8d:67:e8:
                    33:0b:c4:10:7d:24:a2:92:8a:e5:84:7f:0a:94:88:
                    fe:2e:79:a3:1b:aa:69:35:f2:f0:91:fb:25:d9:46:
                    b7:5b:05:68:b9:a9:b7:e8:91:a5:96:be:f6:2a:2f:
                    6a:de:d9:fa:0c:29:37:3b:83:b7:5d:01:ad:53:c4:
                    6f:68:ab:61:e2:7a:f4:7d:5e:55:73:42:45:86:c0:
                    13:56:cb:c2:98:23:32:8b:d6:9f:f8:73:45:12:a8:
                    c0:af:ea:b0:fe:05:15:cb:a9:58:13:a3:fd:d2:7f:
                    57:0e:d5:4b:53:ab:0f:82:c6:51:91:03:12:dd:bb:
                    e0:b3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         52:54:ea:53:58:35:85:f3:db:9a:7c:27:09:fe:44:50:db:7c:
         8b:d0:56:2b:79:c4:da:71:9c:9f:4b:c1:4a:f5:cc:86:6a:bc:
         5d:e7:97:2f:79:28:08:19:b0:5f:22:b1:c3:b8:49:89:c6:0a:
         9f:3c:e0:76:9e:be:65:ef:76:e6:c6:9a:5c:b6:17:d2:24:da:
         91:b1:17:58:85:1e:7c:65:c2:78:e6:de:67:5c:3c:0a:83:e4:
         11:f0:79:bb:65:97:65:cf:b4:0c:73:42:a9:45:22:6b:4e:64:
         30:b5:56:a5:dc:83:bb:27:ec:3b:e6:f5:1b:3f:8f:d0:6c:7f:
         b9:3b:b3:d7:4a:c9:47:af:c4:e8:4f:48:28:a2:40:53:10:b3:
         76:77:83:91:6a:a3:9a:b6:0e:f5:f8:79:47:e8:54:d7:24:27:
         97:04:94:37:c3:2d:fd:b5:fc:31:29:1d:71:1b:f6:a9:81:3f:
         d2:bc:ae:6b:d3:ed:5b:2c:14:f1:7f:af:36:20:d5:8b:b7:9d:
         60:24:6b:5e:60:52:e0:8d:3f:ea:7e:b8:50:af:79:f0:8b:bd:
         a1:30:58:6b:88:62:87:8b:cc:cf:46:07:75:5e:7e:99:7a:2b:
         9f:fb:dd:ca:70:57:f2:e3:da:d6:0e:05:c7:75:fc:c1:9e:9d:
         08:82:3e:f4

What did you expect to see?

Jan 22 22:06:56 vagrant osqueryd[19404]: I0122 22:06:56.623562 19445 buffered.cpp:74] Error sending results to logger: Request error: certificate verify failed

What did you see instead?

TLS Results and requests are successfully processed.
@muffins muffins mentioned this issue Jan 29, 2020
Merged
@muffins
Copy link
Contributor Author

muffins commented Jan 30, 2020

As an update, it looks like #6170 is going to bring a lot of our python integration testing for the TLS communications online. I'm going to hold off on building anything heavy until that ships. Once it's landed we should be able to tweak some of those tests to replicate this bug, and then #6197 should have some decent testing enabled for it and we can close this out!

@directionless directionless modified the milestones: 4.2.0, 4.2.1 Jan 30, 2020
@Smjert Smjert modified the milestones: 4.2.1, 4.2.0 Feb 6, 2020
@jonm01
Copy link

jonm01 commented Feb 25, 2020

CVE-2020-1887

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
4.2.0
Development

Successfully merging a pull request may close this issue.

http_client: Improve certificate verification trailofbits/osquery
4 participants
@Smjert @directionless @muffins @jonm01