----------------------- testreport log -------------------------------
SUMMARY:FAILED
comment: Regression has been found, since the new option CipherSuite produces an error and prevents the establishment of TLS1 connection with the remote host using ftp protocol. The other two bug-reports were fixed in the previous version.
$Author: pgeorgiadis $
Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64), SLES4VMWARE 11-SP3 (i386, x86_64), SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64), SLE-DESKTOP 11-SP3 (i386, x86_64)
Category: security
SAT Patch No: 9944
MD5 sum: ac2aba5516857ac48ef10e9ae01e12a2
SUBSWAMPID: 59609
Packager: [email protected]
Bugs: 902229, 828469, 856424
Repository: http://hilbert.nue.suse.com/abuildstat/patchinfo/ac2aba5516857ac48ef10e9ae01e12a2/
Packages: pure-ftpd >= 1.0.22-3.23.1
SRCRPMs: pure-ftpd
Test Plan Reviewers: Johannes Segitz <[email protected]>
Testplatform: base=sles(major=11,minor=sp3);arch=[i386,s390x,x86_64]
Testplatform: base=sled(major=11,minor=sp3);arch=[i386,x86_64]
#############################
Test results by product-arch:
#############################
sled11sp3-i386 (reference host: bashir.qam.suse.de)
--------------
before:
pure-ftpd-1.0.22-3.21.1
after:
pure-ftpd-1.0.22-3.23.1
scripts:
all_updated : SUCCEEDED
dependencies : SUCCEEDED
from_same_srcrpm : SUCCEEDED
initrd_state : SUCCEEDED
multiple-owners : SUCCEEDED
new_dependencies : SUCCEEDED
new_licenses : SUCCEEDED
vendor_and_disturl : SUCCEEDED
=> PASSED
comment: (none)
sled11sp3-x86_64 (reference host: jadzia.qam.suse.de)
----------------
before:
pure-ftpd-1.0.22-3.21.1
after:
pure-ftpd-1.0.22-3.23.1
scripts:
all_updated : SUCCEEDED
dependencies : SUCCEEDED
from_same_srcrpm : SUCCEEDED
initrd_state : SUCCEEDED
multiple-owners : SUCCEEDED
new_dependencies : SUCCEEDED
new_licenses : SUCCEEDED
vendor_and_disturl : SUCCEEDED
=> PASSED
comment: (none)
sles11sp3-i386 (reference host: dukat.qam.suse.de)
--------------
before:
pure-ftpd-1.0.22-3.21.1
after:
pure-ftpd-1.0.22-3.23.1
scripts:
all_updated : SUCCEEDED
dependencies : SUCCEEDED
from_same_srcrpm : SUCCEEDED
initrd_state : SUCCEEDED
multiple-owners : SUCCEEDED
new_dependencies : SUCCEEDED
new_licenses : SUCCEEDED
vendor_and_disturl : SUCCEEDED
=> PASSED
comment: (none)
sles11sp3-s390x (reference host: s390vsw068.suse.de)
---------------
before:
pure-ftpd-1.0.22-3.21.1
after:
pure-ftpd-1.0.22-3.23.1
scripts:
all_updated : SUCCEEDED
dependencies : SUCCEEDED
from_same_srcrpm : SUCCEEDED
initrd_state : SUCCEEDED
multiple-owners : SUCCEEDED
new_dependencies : SUCCEEDED
new_licenses : SUCCEEDED
vendor_and_disturl : SUCCEEDED
=> PASSED
comment: (none)
sles11sp3-x86_64 (reference host: sisko.qam.suse.de)
----------------
before:
pure-ftpd-1.0.22-3.21.1
after:
pure-ftpd-1.0.22-3.23.1
scripts:
all_updated : SUCCEEDED
dependencies : SUCCEEDED
from_same_srcrpm : SUCCEEDED
initrd_state : SUCCEEDED
multiple-owners : SUCCEEDED
new_dependencies : SUCCEEDED
new_licenses : SUCCEEDED
vendor_and_disturl : SUCCEEDED
=> PASSED
comment: (none)
########################
notes for/by the tester:
########################
Bug #902229 ("VUL-0: CVE-2014-3566: pure-ftpd: FTP sus..."):
------------------------------------------------------------
https://bugzilla.suse.com/show_bug.cgi?id=902229
REPRODUCER_PRESENT: YES
REPRODUCER_COVERAGE: YES
REPRODUCER_APPLICABLE: YES
REPRODUCER_WORKING: YES
REPRODUCER_AUTOMATABLE: YES
...
setup - configuration you need:
# Make sure you are using the vulnerable version of pure-ftpd (pure-ftp : 1.0.22-3.21.1)
zypper se -s pure-ftpd
S | Name | Type | Version | Arch | Repository
--+-------------------+------------+---------------+--------+-----------------------
i | pure-ftpd | package | 1.0.22-3.21.1 | x86_64 | SLE11SP3-SERVER-UPDATE <-- version check confirmed
v | pure-ftpd | package | 1.0.22-3.19.1 | x86_64 | SLE11SP3-SERVER
| pure-ftpd | srcpackage | 1.0.22-3.21.1 | noarch | SLE11SP3-SERVER-UPDATE
| slessp3-pure-ftpd | patch | 9849 | noarch | SLE11SP3-SERVER-UPDATE
# Create the OpenSSL cert
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
# Stop and restart (loading the configuration) the pure-ftpd daemon
service pure-ftpd stop
/usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf # starts the service using the configuration from the /etc/pure-ftpd/pure-ftpd.conf
# Configure syslog-ng to exlude FTP logs into a separate file
vim /etc/syslog-ng/syslog-ng.conf
# and add
destination d_ftp { file("/var/log/pure-ftpd.log"); };
filter f_ftp {
facility(ftp);
};
log { source(src); filter(f_ftp); destination(d_ftp); };
# restart the syslog-ng
killall -HUP syslogd
# Monitor the /var/log/pure-ftpd.log
tail -f /var/log/pure-ftpd.log
# Test commands
for SSL3:openssl s_client -starttls ftp -ssl3 -connect sisko.qam.suse.de:21
for SSL2:openssl s_client -starttls ftp -ssl2 -connect sisko.qam.suse.de:21
for TLS1:openssl s_client -starttls ftp -tls1 -connect sisko.qam.suse.de:21
# Start testing
-> Please check the following table (overview)
State Config | SSL3 | SSL2 | TLS1 || Command-Line
==========================================================================================================================================================================================
before Default | -- | - | -- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
before TLS 1 Verbose | works | works | works ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1
==========================================================================================================================================================================================
after Default | -- | - | -- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
after TLS 1 Verbose | works | works | works ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 ||
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
after TLS 1 Verbose | --- | --- | --- ||/usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3
CipherSuite [*] | | | ||
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
^
|
|
/ \
Regression found (last line saying: after, TLS1, Verbose CipherSuite)
Explanation:
'before' means:
The vulnerable version pure-ftpd-1.0.22-3.21.1
'after' means:
The new patched version pure-ftpd-1.0.22-3.23.1
'default' means:
No changes in the /etc/pure-ftpd/pure-ftpd.conf
'TLS 1 Verbose' means:
# configure pure-ftpd to accept TLS Authetication.
--> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: '# TLS 1' ==> 'TLS 1'
# configure pure-ftpd to log itself as ftp in syslog-ng
--> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: 'VerboseLog no' ==> 'VerboseLog yes'
'CipherSuite' means:
# configure pure-ftpd to use the new CipherSuite option that fixes the problem
--> Edit the configuration file /etc/pure-ftpd/pure-ftpd.conf, uncomment and change: '#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' ==> 'TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3'
'-' means:
CONNECTED(00000003)
(I have to press CTRL+C - (it hangs there))
'--' means:
CONNECTED(00000003)
56309:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:281:
'---' means:
socket: Connection refused
connect:errno=111
'[*]' means:
Nov 18 14:57:29 s390vsw068 pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3'
-> it seems that this new option is not valid
'works' means:
Nov 18 14:55:45 s390vsw068 pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS]
Nov 18 14:55:45 s390vsw068 pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher
(I am pressing CTRL+C)
Nov 18 14:55:47 s390vsw068 pure-ftpd: ([email protected]) [INFO] Logout.
Comments:
[1] after applying the update the new options 'TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3' is not used by default. It's commented
[2] if enabled, then TLS1 fails (which is not the case) along with SSL3 and SSL2
[3] if enabled, and if you monitor the syslog-ng, you will catch an error: pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:+!SSLv3'
According to the bug-report, it should be:
BEFORE | AFTER
-------------------------
SSL3: YES | NO
SSL2: YES | NO
TLS1: YES | YES
but, what I've get is:
BEFORE | AFTER
-------------------------
SSL3: YES | NO
SSL2: YES | NO
TLS1: YES | NO <- TLS1 is no working but it was supposed to
After some searching I found out that in the online documentation that is on github they have added a new README (https://github.com/jedisct1/pure-ftpd/blob/master/README) with
the description "Disabling SSLv3 was already supported" and they say that:
- '-J <ciphers>': Sets the list of ciphers that will be accepted for
SSL/TLS connections.
For example: -J -S:HIGH:MEDIUM
Prefixing the list with -S: totally disables SSLv3, which is highly
recommended if you don't have to support old clients.
SSLv2 is always disabled.
The part of using '-S' flag is missing from our documentation (manpage). Also, the code for this command doesn't seem to be backported.
I did a diff between the github's ftpd.c and our package ftpd.c and searched for the "case 'J'" which is used for the CipherSuite
wget http://qam.suse.de/testreports/ac2aba5516857ac48ef10e9ae01e12a2/diff
panos@g82:~> cat diff | grep -A 10 -- "case 'J'"
+case 'J': {
+if (strncmp(optarg, "-S:", sizeof "-S:" - (size_t) 1U) == 0) {
+optarg += sizeof "-S:" - (size_t) 1U;
+ssl_disabled = 1;
+}
+if ((tlsciphersuite = strdup(optarg)) == NULL) {
+die_mem();
+}
+break;
+}
+#endif
as you can see the implementation of '-S' that prevents SSLv3 is missing from our source code.
In addition, the only option that doesn't produce an error in the configuration file is
--> TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Testing this one, SSLv2 is blocked while SSLv3 and TLS1 are allowed.
Mind also that TLSv1 ciphers are flagged as SLLv3 (I don't know if this is relevant)
openssl ciphers -v 'TLSv1' | sort
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
<span style="color:rgb(0,0,0);font-family:'Lucida Console',Courier,'Courier New';font-size:12px;background-color:r
Comments