Bug 1038984 (CVE-2017-7435)

Summary:	VUL-0: CVE-2017-7435, CVE-2017-7436: libzypp: rpm-md repository security downgrade
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Forgotten User x85cQNZX8A <forgotten_x85cQNZX8A>
Component:	Incidents	Assignee:	Michael Andres <ma>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	astieger, david, jsegitz, kkaempf, maint-coord, meissner, saweber, security-team
Version:	unspecified
Target Milestone:	unspecified
Hardware:	All
OS:	Other
Whiteboard:	CVSSv3:SUSE:CVE-2017-7436:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:SUSE:CVE-2017-7436:7.6:(AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSSv2:SUSE:CVE-2017-7435:7.6:(AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-7435:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-7436:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv3:NVD:CVE-2017-7436:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-7435:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv3:NVD:CVE-2017-7435:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Forgotten User x85cQNZX8A 2017-05-13 10:37:28 UTC

TLL;DR: It's possible to replace a signed rpm-md repository with an unsigned one and the machine using it will not notice.

This is a long set of infortunate choices, which degrade repository security:
1. gpgcheck=1 in /etc/zypp/repos.d/ defaults to both repo_gpgcheck=1 and pkg_gpgcheck=1 at configuration parsing.
2. Package downloader is satisfied by either of the conditions enabled - signature of either repository or of the package. Since pkg_gpgcheck is 1 by default, it accepts an unsigned repository.
3. libzypp checks signatures on the downloaded package, and it relies on rpm to do the verification. Since rpm does not find any signature in the package, but the checksums are correct, it returns that the package is fine.
4. Package gets installed

Thus an example rpm-md repository, which had the repository signed (and perhaps even packages), like this:

[repo]
name=An rpm-md repository
enabled=1
autorefresh=1
baseurl=http://repo.example.com/
type=rpm-md
gpgcheck=1

can be directed (by the way of DNS, IP spoofing, or remote server compromise), to an unsigned repository with unsigned packages.

The gpgcheck=1 option suggests that we are ensuring some kind of GPG verification of the package origin, thus we should be safe from using unencrypted HTTP - after all, the package repository contents are not secret, thus no need for encryption. Using HTTPS would make it harder to do IP or DNS spoofing.

ad. 1.
zypp.conf:
## Signature checking (repodata and rpm packages)
##
##   boolean   gpgcheck        (default: on)
##   boolean   repo_gpgcheck   (default: unset -> according to gpgcheck)
##   boolean   pkg_gpgcheck    (default: unset -> according to gpgcheck)

ad. 2.
According to https://github.com/openSUSE/zypper/issues/70, in version libzypp-15.3.0 there was a change which allowed to have *either* the rpm-md repository signed, or the package - libzypp commit 4fdccab4b649d23bf5e2e7b33c2bc4dc412d2482:

   if ( repoInfo().repoGpgCheck() )
   {
    if ( isSigned || !repoInfo().pkgGpgCheck() )

So if pkg_gpgcheck is enabled (it is by default), libzypp will not care about repository being signed or not.

ad. 3.
zypp/target/rpm/RpmDb.c calls ::rpmVerifySignatures for the downloaded package:
  qva.qva_flags = (VERIFY_DIGEST|VERIFY_SIGNATURE);
  int res = ::rpmVerifySignatures( &qva, ts, fd, path_r.basename().c_str() );

Tracing the call to rpm, rpmVerifySignatures is a wrapper around rpmpkgVerifySigs. which is also called from rpmkeys.c. Basically running:
rpmkeys -K $package
is an equivalent, as it sets the same flags to rpmpkgVerifySigs.

As one can test, rpmkeys -K is pretty happy about packages that don't contain a signature at all - all the checksums pass, so it exits with a 0 return code, the same way rpmVerifySignatures returns the information that the package is OK.

---

The problem does not directly affect the yast2 repositories, as zypper pointed to an unsigned yast2 repository prints a warning about missing signature:

File 'content' from repository 'openSUSE-42.2_OSS' is unsigned, continue? [yes/no] (no):

Ignoring this warning installs an unsigned package, but it's better than not issuing a warning at all, like the rpm-md case.

It seems the only workaround for now to make sure the repository signature is verified currently is to explicitly set pkg_gpgcheck=0 for the repository.

Comment 1 Johannes Segitz 2017-05-16 08:09:37 UTC

yes, that is problematic behavior. I would suggest that we separate this. So the user has a new setting to accept unsigned repos without confirming it and the existing setting gpgcheck without using it in the way described in the original report to skip the signing checks.

Comment 2 Michael Andres 2017-05-17 15:07:01 UTC

(In reply to Bolesław Tokarski from comment #0)
> 1. gpgcheck=1 in /etc/zypp/repos.d/ defaults to both repo_gpgcheck=1 and
> pkg_gpgcheck=1 at configuration parsing.

> ad. 1.
> zypp.conf:
> ## Signature checking (repodata and rpm packages)
> ##
> ##   boolean   gpgcheck        (default: on)
> ##   boolean   repo_gpgcheck   (default: unset -> according to gpgcheck)
> ##   boolean   pkg_gpgcheck    (default: unset -> according to gpgcheck)

Not exactly: repo_gpgcheck and pkg_gpgcheck are TriBool values. If you do not explicitly set them ON/OFF, they are 'indeterminate'. 

The default for 'indeterminate' is to enforce the package gpg check, if the repo metadata are not signed. 

If the metadata are signed, it's sufficient that the package matches the checksum stored in the metadata.

Explicitly setting repo_gpgcheck/pkg_gpgcheck to ON/OFF should always perform/skip the corresponding check.


> 2. Package downloader is satisfied by either of the conditions enabled -
> signature of either repository or of the package. Since pkg_gpgcheck is 1 by
> default, it accepts an unsigned repository.

You are right, if pkg_gpgcheck is ON, then unsigned repos are accepted even if repo_gpgcheck is ON as well. 

This needs to be fixed; repo_gpgcheck=ON must not accept unsigned repos.


> 3. libzypp checks signatures on the downloaded package, and it relies on rpm
> to do the verification. Since rpm does not find any signature in the
> package, but the checksums are correct, it returns that the package is fine.

This needs to be fixed as well.

Comment 3 Johannes Segitz 2017-05-18 11:32:19 UTC

(In reply to Michael Andres from comment #2)
> This needs to be fixed; repo_gpgcheck=ON must not accept unsigned repos.

This is CVE-2017-7435

> Since rpm does not find any signature in the
> package, but the checksums are correct, it returns that the package is fine.

This is CVE-2017-7436

Comment 12 Michael Andres 2017-07-17 15:03:10 UTC

libzypp-16.15.0 / zypper-1.13.30 provide the required behavioral changes.
Fixes also bug #1045735.

Zypper may need some more polishing regarding prompt and message texts. 

>    boolean    gpgcheck        (default: on)
>    boolean    repo_gpgcheck   (default: unset -> according to gpgcheck)
>    boolean    pkg_gpgcheck    (default: unset -> according to gpgcheck)
> 
>  Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a
>  repositories .repo file will overwrite the defaults for this specific
>  repo.
> 
>  If 'gpgcheck' is 'on' (the default) we will check the signature of repo metadata
>  (packages are secured via checksum inside the metadata). Using unsigned repos
>  needs to be confirmed.
>  Packages from signed repos are accepted if their checksum matches the checksum
>  stated in the repo metadata.
>  Packages from unsigned repos need a valid gpg signature, using unsigned packages
>  needs to be confirmed.
> 
>  The above default behavior can be tuned by explicitly setting 'repo_gpgcheck'
>  and/or 'pkg_gpgcheck':
> 
>    'repo_gpgcheck = on' same as the default.
> 
>    'repo_gpgcheck = off' will silently accept unsigned repos. It will NOT turn of
>    signature checking on the whole, nevertheless it's not a secure setting.
> 
>    'pkg_gpgcheck = on' will enforce the package signature checking and the need
>    to confirm unsigned packages for all repos (signed and unsigned).
> 
>    'pkg_gpgcheck = off' will silently accept unsigned packages. It will NOT turn of
>    signature checking on the whole, nevertheless it's not a secure setting.
> 
>  If 'gpgCheck' is 'off' (not recommended), no checks are performed. You can still
>  enable them individually by setting 'repo_gpgcheck' and/or 'pkg_gpgcheck' to 'on'.

Comment 13 Michael Andres 2017-07-17 15:22:45 UTC

Submitted MR for Factory and SLE12SP2 (omitted SP3)

Comment 14 Klaus Kämpf 2017-07-20 13:12:49 UTC

(In reply to Michael Andres from comment #13)
> Submitted MR for Factory and SLE12SP2 (omitted SP3)

This might break SUSE Manager. Just say'in ...

Comment 15 Michael Andres 2017-07-21 11:39:52 UTC

For the SUMA case:
For a short period of time, libzypp-16.15.(>=2) will silently accept unsigned packages IFF a repositories gpgcheck configuration is explicitly turned OFF like this (the SUMA case):
>    gpgcheck      = 0
>    repo_gpgcheck = 0
>    pkg_gpgcheck  = 1
This will allow already released products to adapt to the behavioral changes introduced by fixing this bug, while systems with a default configuration (gpgcheck = 1) already benefit from the fix in libzypp-16.15.*. With libzypp-16.16.* the above configuration will reject unsigned packages as it is supposed to do.

Comment 16 Swamp Workflow Management 2017-08-03 19:08:38 UTC

SUSE-SU-2017:2040-1: An update that solves three vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1009745,1031756,1033236,1038132,1038984,1043218,1045735,1047785,1048315
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libzypp-16.15.2-27.21.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libzypp-16.15.2-27.21.1, zypper-1.13.30-18.13.3
SUSE Linux Enterprise Server 12-SP2 (src):    libzypp-16.15.2-27.21.1, zypper-1.13.30-18.13.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    libzypp-16.15.2-27.21.1, zypper-1.13.30-18.13.3
OpenStack Cloud Magnum Orchestration 7 (src):    libzypp-16.15.2-27.21.1, zypper-1.13.30-18.13.3

Comment 17 Swamp Workflow Management 2017-08-09 13:20:57 UTC

openSUSE-SU-2017:2111-1: An update that solves three vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1009745,1031756,1033236,1038132,1038984,1043218,1045735,1047785,1048315
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Sources used:
openSUSE Leap 42.2 (src):    libzypp-16.15.2-5.9.1, zypper-1.13.30-5.9.1

Comment 18 Michael Andres 2017-08-11 12:20:28 UTC

New options to add-repo/modify-repo, to allow setting the gpg check options according to your needs have been added in zypper-1.13.31 
(see also bug #1045735#c16)

Comment 19 Michael Andres 2017-08-11 12:21:07 UTC

Fixed in zypper-1.13.31

Comment 20 Michael Andres 2017-08-11 13:48:59 UTC

Submitted for SLES12-SP2/3 (Leap-42.2/3) and Tumbleweed

Comment 21 Swamp Workflow Management 2017-08-25 16:24:05 UTC

SUSE-SU-2017:2264-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libzypp-16.15.3-2.3.1, yast2-pkg-bindings-devel-doc-3.2.4-2.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libzypp-16.15.3-2.3.1, yast2-pkg-bindings-3.2.4-2.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libzypp-16.15.3-2.3.1, yast2-pkg-bindings-3.2.4-2.3.1

Comment 22 Swamp Workflow Management 2017-09-02 16:10:29 UTC

openSUSE-SU-2017:2335-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Sources used:
openSUSE Leap 42.3 (src):    libzypp-16.15.3-9.1, yast2-pkg-bindings-3.2.4-4.1, yast2-pkg-bindings-devel-doc-3.2.4-4.1

Comment 23 Swamp Workflow Management 2017-09-04 19:42:57 UTC

SUSE-SU-2017:2344-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920
CVE References: CVE-2017-7436
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libzypp-16.15.6-2.8.1
SUSE Linux Enterprise Server 12-SP3 (src):    libzypp-16.15.6-2.8.1, zypper-1.13.32-21.3.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    libzypp-16.15.6-2.8.1, zypper-1.13.32-21.3.2

Comment 24 Swamp Workflow Management 2017-09-06 01:15:48 UTC

openSUSE-SU-2017:2370-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920
CVE References: CVE-2017-7436
Sources used:
openSUSE Leap 42.3 (src):    libzypp-16.15.6-12.1, zypper-1.13.32-8.1

Comment 25 Swamp Workflow Management 2017-09-14 19:15:57 UTC

SUSE-SU-2017:2470-1: An update that solves 18 vulnerabilities and has 46 fixes is now available.

Category: security (important)
Bug References: 1004995,1009745,1014471,1017420,1019637,1026825,1027079,1027688,1027908,1028281,1028723,1029523,1031756,1032706,1033236,1035062,1036659,1038132,1038444,1038984,1042392,1043218,1043333,1044095,1044107,1044175,1044840,1045384,1045735,1045987,1046268,1046417,1046659,1046853,1046858,1047008,1047236,1047240,1047310,1047379,1047785,1047964,1047965,1048315,1048483,1048605,1048679,1048715,1049344,1050396,1050484,1051626,1051643,1051644,1052030,1052759,1053409,874665,902364,938657,944903,954661,960820,963041
CVE References: CVE-2013-7459,CVE-2016-9063,CVE-2017-1000100,CVE-2017-1000101,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113,CVE-2017-3308,CVE-2017-3309,CVE-2017-3453,CVE-2017-3456,CVE-2017-3464,CVE-2017-7435,CVE-2017-7436,CVE-2017-8872,CVE-2017-9233,CVE-2017-9269
Sources used:
SUSE Container as a Service Platform ALL (src):    caasp-container-manifests-0.0.0+git_r155_93e40ab-2.3.3, container-feeder-0.0.0+20170901.git_r55_17ecbd3-2.3.3, sles12-mariadb-docker-image-1.1.0-2.3.10, sles12-pause-docker-image-1.1.0-2.3.11, sles12-pv-recycler-node-docker-image-1.1.0-2.3.10, sles12-salt-api-docker-image-1.1.0-2.3.9, sles12-salt-master-docker-image-1.1.0-4.3.10, sles12-salt-minion-docker-image-1.1.0-2.3.8, sles12-velum-docker-image-1.1.0-4.3.9

Comment 27 Michael Andres 2018-08-24 15:29:41 UTC

Fixed in 
SLES12-SP1      libzypp 15.25.16   zypper 1.12.58    (MR#170947)
SLES12          libzypp 14.45.16   zypper 1.11.70    (MR#170948)

Comment 29 Swamp Workflow Management 2018-08-30 10:14:55 UTC

SUSE-SU-2018:2555-1: An update that solves four vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1037210,1038984,1045735,1048315,1054088,1070851,1076192,1088705,1091624,1092413,1096803,1100028,1101349,1102429
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269,CVE-2018-7685
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libzypp-15.25.17-46.22.1, zypper-1.12.59-46.10.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libzypp-15.25.17-46.22.1, zypper-1.12.59-46.10.1

Comment 31 Swamp Workflow Management 2018-09-11 16:09:47 UTC

SUSE-SU-2018:2688-1: An update that solves four vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 1036304,1037210,1038984,1045735,1048315,1054088,1070851,1076192,1079334,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429
CVE References: CVE-2017-7435,CVE-2017-7436,CVE-2017-9269,CVE-2018-7685
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    libzypp-14.45.17-2.82.1, zypper-1.11.70-2.69.2