957748 – (CVE-2015-8400) VUL-0: CVE-2015-8400: shellinabox: DNS rebinding attack due to HTTP fallback

Bug 957748 (CVE-2015-8400) - VUL-0: CVE-2015-8400: shellinabox: DNS rebinding attack due to HTTP fallback

Summary: VUL-0: CVE-2015-8400: shellinabox: DNS rebinding attack due to HTTP fallback

Status:	RESOLVED FIXED

Alias:	CVE-2015-8400

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Ladislav Slezák
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/159373/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-12-03 10:09 UTC by Marcus Meissner
Modified:	2016-12-21 20:08 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-12-03 10:09:53 UTC

CVE-2015-8400, openSUSE Only.

via oss-security


    https://github.com/shellinabox/shellinabox/issues/355


As far as we can tell, "Stephen Roettger from the Google Security Team
reported to us" means that the report was sent to you in your role as
a maintainer of usbarmory, not in anyone's role as a maintainer of
shellinabox. The case for considering this a shellinabox vulnerability
report (rather than a shellinabox improvement suggestion) may be
marginal.

We decided to assign CVE-2015-8400 for a vulnerability in shellinabox.
This same CVE ID can be used by anyone (such as usbarmory) who makes a
security announcement in direct response to the vulnerability,
regardless of whether the announcement is about removing the package
or changing the package.

The basic rationale is that 'allows HTTP fallback, even when
configured for HTTPS, via the "/plain" URL' is apparently undocumented
(and has the stated security risk). If there had been something in
https://github.com/shellinabox/shellinabox/wiki/shellinaboxd_man or
even a source-code comment saying why the behavior had been chosen
despite the risk, the outcome may have been different. There are
various other choices in shellinaboxd that may seem unusual to people
unfamiliar with the product's use cases, e.g.,

  Unless SSL certificates can be found in the current directory, the
  daemon will automatically generate suitable self-signed
  certificates. ... the use of auto-generated self-signed certificates
  is intended for testing or in intranet deployments

(Someone could conceivably argue that "automatically generate" should
not be a default behavior.)



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8400
http://seclists.org/oss-sec/2015/q4/418

Comment 2 Swamp Workflow Management 2015-12-03 23:00:13 UTC

bugbot adjusting priority

Comment 5 Ladislav Slezák 2016-12-13 15:15:40 UTC

I'm preparing a fix, it has been fixed in 2.19. In openSUSE I'll update the package to 2.20, it contains some more security related fixes.

If we really need a fix for SUSE:SLE-11-SP2:Update:Products then I'd just backport the HTTP fallabck fix (https://github.com/shellinabox/shellinabox/commit/4aa0eb97e4c90490a9c84a0d8bd57cd22572c37a).

Comment 6 Ladislav Slezák 2016-12-13 15:36:11 UTC

Fixed for 13.2, 42.1, 42.2. Submitted in https://build.opensuse.org/request/show/445613 - package upgraded to 2.20.

If a fix for SUSE:SLE-11-SP2:Update:Products is required just reopen (or open a new bug).

Comment 7 Swamp Workflow Management 2016-12-21 20:08:39 UTC

openSUSE-SU-2016:3215-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 957748
CVE References: CVE-2015-8400
Sources used:
openSUSE Leap 42.2 (src):    shellinabox-2.20-12.1
openSUSE Leap 42.1 (src):    shellinabox-2.20-11.1
openSUSE 13.2 (src):    shellinabox-2.20-5.3.1