Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <874lu7uccv.fsf@grahamc.com>
Date: Wed, 19 Jul 2017 21:27:12 -0400
From: Graham Christensen <graham@...hamc.com>
To: oss-security@...ts.openwall.com
Subject: NIX-2017-0003: LDAP with useTLS option disabled TLS peer verification 


Hello,

Attached is a NixOS security advisory. It is part of a greater
security-related effort within the NixOS community. It is signed by me,
a member of the NixOS security team
(https://nixos.org/nixos/security.html).

As we are a growing community, and as we grow our security-focused
efforts, we would like to ultimately seek membership in the distro list.
We do not meet the requirements at this time, in particular the private
build infrastructure. However, in an effort to improve to our process, I
would be interested in the community's feedback on our advisory format.

Note we are still working to file for a CVE on this issue.

Although I accidentally left out a link to the original issue
(https://github.com/NixOS/nixpkgs/issues/27506) in this one, all
subsequent advisories will include issue links.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


                         Nix Security Advisory
                             NIX-2017-0003
                              2017-07-19
                         ---------------------
            LDAP with useTLS disabled TLS peer verification


Description
===========

The users.ldap NixOS module implements user authentication against LDAP
servers via a PAM module. It was found that if TLS is enabled to connect
to the LDAP server with users.ldap.useTLS, peer verification will be
unconditionally disabled in /etc/ldap.conf.


Impact
======

A man-in-the-middle attack can be performed by an attacker between a
machine with enabled LDAP authentication and the LDAP server. Even
though TLS is enabled an attacker is able to impersonate the LDAP server
with an invalid certificate.

Attackers might be able to steal user password hashes or service account
credentials in plaintext.


Vulnerable Systems
==================

NixOS 16.09 and earlier releases are unsupported and vulnerable.

  Distribution            First Non-Vulnerable Commit
  ------------            ---------------------------
  nixos-17.03             b3fa6295ad5a040a1628cb89da26a0f6c347ac65
  nixos-unstable          2b2a6f20701c4740526a8976f3ac60fc6be797e2

  Channel                 First Non-Vulnerable Release
  -------                 ----------------------------
  nixos-17.03-small       nixos-17.03.1581.b3fa6295ad
  nixos-17.03             expected within 3 hours
  nixos-unstable-small    unknown
  nixos-unstable          unknown


Mitigation
==========

Option A:

Set users.ldap.useTLS to false, and manually specify TLS in the
extraConfig:


   {
     users.ldap.useTLS = false;
     users.ldap.extraConfig = ''
       ssl start_tls
     '';
   }

Option B:

Switch your NixOS channel to nixos-17.03-small, update, and
nixos-rebuild switch:

  # nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
  # nix-channel --update
  # nixos-rebuild switch


Resolution
==========

NixOS now does not add "tls_checkpeer no" to the LDAP configuration
when users.ldap.useTLS is enabled. Users who need this behavior can
add it back via the users.ldap.extraConfig option.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAllv++MACgkQBhIdNm/p
Q1xbNA/+OC/0YePgyqJ3YCoFML8j7B23EM75DJcAemiaeKdxvzFZQc2v1SQp6POX
e3dq0RJ8RR5k9JRqHxYF4/lBMe5McUdL6nFVRVA8AJLY5Dsdeqq41Fpg54I2KmZI
+oVZqcNcOYNdQB0jr5vDC/1dOOvfwUxxfYD+xtaiRn+ELTH/tcQe9oU/2O/nz5Nl
JlcjRPsxwRI1DsZeq5Cp+jcCO0GsJOWrCO6h6gkQheq5vNVhOD4+WYjvsRVYsG45
30hVrC1D/tR/VJSXx6CaUEbNMEJ3R4N+eyXq7uDH6WmYEuaOzPqgQqXprKKYVA9c
Hdh9gWGXTuJR5khMll+5NeY+BVRr/kwYsaHg+fdlcpbTHox/z/7St/Jlbj83jxDt
bU8AnsvMbOeuk5Ynsuqfk7Vrg1uh6pUc35N+is2MCKR15NO/lcvSUFSpoecp8pAC
cJPtIp6oaicXBUF+CklHmuy3v43q2gbckfp4fIkNoq+Pxu80EIXc6Cy9mIIvgbx7
JmZ/UxzLW3GHtDWiqFXTtrLhJC20Su5jXC+9jnPiWfBjQKw6L2sdVakugYLmXzAQ
7EXs4OxccvxFuKxRiG5QbeZiyrzgdkeMOICWe+mGbHzTJrjl8wLG2awYC1J50pEr
TNQoZNK7pQCHe+G6ponJJig9GNMNWaheInsJ+pShqIYxmhr/qRo=
=YvT+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.