|
|
b9497b8 |
From 29f5ad4805a04e4c4fd18795f7153798c80a46ce Mon Sep 17 00:00:00 2001
|
|
|
b9497b8 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
b9497b8 |
Date: Mon, 18 Nov 2013 12:20:52 +0100
|
|
|
b9497b8 |
Subject: [PATCH] Security notice on Storable and reply attack
|
|
|
b9497b8 |
MIME-Version: 1.0
|
|
|
b9497b8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b9497b8 |
Content-Transfer-Encoding: 8bit
|
|
|
b9497b8 |
|
|
|
b9497b8 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
b9497b8 |
---
|
|
|
b9497b8 |
README | 16 ++++++++++++++++
|
|
|
b9497b8 |
lib/RPC/PlServer.pm | 15 +++++++++++++++
|
|
|
b9497b8 |
2 files changed, 31 insertions(+)
|
|
|
b9497b8 |
|
|
|
b9497b8 |
diff --git a/README b/README
|
|
|
b9497b8 |
index 8a68657..48a33e4 100644
|
|
|
b9497b8 |
--- a/README
|
|
|
b9497b8 |
+++ b/README
|
|
|
b9497b8 |
@@ -204,6 +204,7 @@ EXAMPLE
|
|
|
b9497b8 |
require RPC::PlServer;
|
|
|
b9497b8 |
require MD5;
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
package MD5_Server; # Clients need to request application
|
|
|
b9497b8 |
# "MD5_Server"
|
|
|
b9497b8 |
|
|
|
b9497b8 |
@@ -245,6 +246,10 @@ SECURITY
|
|
|
b9497b8 |
that I missed something. Security was a design goal, but not *the*
|
|
|
b9497b8 |
design goal. (A well known problem ...)
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+ Due to implementation of PlRPC, it's hard to use internal authentication
|
|
|
b9497b8 |
+ mechanisms properly to achieve secured remote calls. Therefore users are
|
|
|
b9497b8 |
+ advised to use an external authentication mechanism like TLS or IPsec.
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
I highly recommend the following design principles:
|
|
|
b9497b8 |
|
|
|
b9497b8 |
Protection against "trusted" users
|
|
|
b9497b8 |
@@ -263,6 +268,14 @@ SECURITY
|
|
|
b9497b8 |
Be restrictive
|
|
|
b9497b8 |
Think twice, before you give a client access to a method.
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+ Use of Storable
|
|
|
b9497b8 |
+ Storable module used for serialization and deserialization
|
|
|
b9497b8 |
+ underneath is inherently insecure. Deserialized data can contain
|
|
|
b9497b8 |
+ objects which lead to loading foreign modules and executing possible
|
|
|
b9497b8 |
+ attached destructors. Do not accept host-based unauthorized
|
|
|
b9497b8 |
+ connections. The Storable module is exercised before checking user
|
|
|
b9497b8 |
+ password.
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
perlsec
|
|
|
b9497b8 |
And just in case I forgot it: Read the "perlsec" man page. :-)
|
|
|
b9497b8 |
|
|
|
b9497b8 |
@@ -283,6 +296,9 @@ SECURITY
|
|
|
b9497b8 |
authorized, you should switch to a user based key. See the
|
|
|
b9497b8 |
DBI::ProxyServer for an example.
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+ Please note PlRPC encryption does not protect from reply attacks.
|
|
|
b9497b8 |
+ You should have implement it on the application or the cipher level.
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
AUTHOR AND COPYRIGHT
|
|
|
b9497b8 |
The PlRPC-modules are
|
|
|
b9497b8 |
|
|
|
b9497b8 |
diff --git a/lib/RPC/PlServer.pm b/lib/RPC/PlServer.pm
|
|
|
b9497b8 |
index 10b56c9..ce38594 100644
|
|
|
b9497b8 |
--- a/lib/RPC/PlServer.pm
|
|
|
b9497b8 |
+++ b/lib/RPC/PlServer.pm
|
|
|
b9497b8 |
@@ -613,6 +613,10 @@ I did my best to avoid security problems, but it is more than likely,
|
|
|
b9497b8 |
that I missed something. Security was a design goal, but not *the*
|
|
|
b9497b8 |
design goal. (A well known problem ...)
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+Due to implementation of PlRPC, it's hard to use internal authentication
|
|
|
b9497b8 |
+mechanisms properly to achieve secured remote calls. Therefore users are
|
|
|
b9497b8 |
+advised to use an external authentication mechanism like TLS or IPsec.
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
I highly recommend the following design principles:
|
|
|
b9497b8 |
|
|
|
b9497b8 |
=head2 Protection against "trusted" users
|
|
|
b9497b8 |
@@ -637,6 +641,14 @@ object handle is valid before coercing a method on it.
|
|
|
b9497b8 |
|
|
|
b9497b8 |
Think twice, before you give a client access to a method.
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+=item Use of Storable
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
+L<Storable> module used for serialization and deserialization underneath is
|
|
|
b9497b8 |
+inherently insecure. Deserialized data can contain objects which lead to
|
|
|
b9497b8 |
+loading foreign modules and executing possible attached destructors. Do not
|
|
|
b9497b8 |
+accept host-based unauthorized connections. The L<Storable> module is
|
|
|
b9497b8 |
+exercised before checking user password.
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
=item perlsec
|
|
|
b9497b8 |
|
|
|
b9497b8 |
And just in case I forgot it: Read the C<perlsec> man page. :-)
|
|
|
b9497b8 |
@@ -667,6 +679,9 @@ login phase, where to use a host based key. As soon as the user
|
|
|
b9497b8 |
has authorized, you should switch to a user based key. See the
|
|
|
b9497b8 |
DBI::ProxyServer for an example.
|
|
|
b9497b8 |
|
|
|
b9497b8 |
+Please note PlRPC encryption does not protect from reply attacks. You should
|
|
|
b9497b8 |
+have implement it on the application or the cipher level.
|
|
|
b9497b8 |
+
|
|
|
b9497b8 |
=back
|
|
|
b9497b8 |
|
|
|
b9497b8 |
=head1 AUTHOR AND COPYRIGHT
|
|
|
b9497b8 |
--
|
|
|
b9497b8 |
1.8.3.1
|
|
|
b9497b8 |
|