(Jul 16) Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More…]
(Jul 16) Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More…]
Certificate revocation checking is an essential part of any connection to an SSL site; without it, an attacker can impersonate an SSL site with a compromised certificate until it expires of its own accord — an event which may be 5 years away — even if the issuer of the certificate (the certificate authority, or CA) is made aware of the breach. One of the methods used to check the revocation status, OCSP, requires the browser to make a per-certificate request to the issuing CA as part of the initial connection to an SSL site.
This separate OCSP request can increase the time taken for the browser to connect to an SSL site and imposes a traffic burden on the CA. OCSP stapling is advantageous because it removes the need for a separate request to the CA by bundling the OCSP response with the existing SSL connection.
The proportion of certificates in the July 2013 Netcraft SSL survey served over an SSL connection with a stapled OCSP response.
In the latest Netcraft SSL Survey, more than 22% of certificates were served with a stapled OCSP response. Of those SSL certificates seen with a stapled OCSP response, almost all (96%) were served from computers running Microsoft Windows. OCSP stapling has been enabled by default in IIS since Windows 2008, significantly before its competitors — Apache added support in version 2.4 in February 2012 and nginx added support in version 1.4.0 in April 2013.
| Operating System | Share |
|---|---|
| Windows Server 2008 | 94.54% |
| Windows Server 2012 | 1.76% |
| Linux | 1.39% |
| Unknown | 1.25% |
| Other | 1.06% |
The certificates in the July 2013 Netcraft SSL survey served over an SSL connection with a stapled OCSP response, split by operating system.
More than 99% of the stapled OCSP responses corresponded to a ‘good’ status, but somewhat surprisingly, there were around 900 responses which corresponded to a revoked status. These include a certificate on a Maybank website (the largest financial institution in Malaysia) and a certificate on the mobile version of marines.com, an official US Marine Corps recruitment website. m.marines.com appears to be load balanced across at least two machines, one of which staples a revoked response, the other uses a different non-revoked certificate.
m.marines.com in Google Chrome (on Windows) and Safari on iOS6.
Browser support for OCSP stapling is patchy and varies with the operating system. As well as on the server-side with IIS, Microsoft’s client-side support for OCSP stapling is good: Internet Explorer supports stapling, as does every other browser tested on Windows except Firefox. Firefox does particularly poorly on all platforms, with no support at all for OCSP stapling in the current release, though support is on its way. Google Chrome uses a patched version of NSS (the same library as Firefox) on Linux which does include stapling support. The upgrade from Opera 12 to Opera 15 on Mac OS X removes support for OCSP stapling, perhaps as a side-effect of the move to WebKit (blink), leaving Mac OS X without support for OCSP stapling when using the latest release of any common browser.
Where OCSP stapling may help the most — on mobile networks where latency may be high — there is no support, at least in conventional browsers which make direct requests. Opera Mini, which uses a proxy to compress responses, does make SSL requests which include a request for an OCSP stapled response, but security conscious users may be reticent to trust their SSL encrypted data to Opera (which proxies SSL connections through its servers) in exchange for OCSP stapling.
| Browser/OS | Windows | Linux | Mac OS X | iOS | Android |
|---|---|---|---|---|---|
| Google Chrome 28 | Yes | Yes | No | No | No |
| Firefox 22 | No | No | No | N/A | No |
| Internet Explorer 10 | Yes | N/A | N/A | N/A | N/A |
| Safari 6 | No | N/A | No | No | N/A |
| Opera 12 | Yes | Yes | Yes | N/A | N/A |
| Opera 15 | Yes | N/A | No | N/A | N/A |
| Opera Mini | N/A | N/A | N/A | Yes | Yes |
| Opera Mobile | N/A | N/A | N/A | N/A | No |
CloudFlare is a vocal supporter of OCSP stapling and claims that stapling can improve the time taken to start an SSL connection by up to 30%. CloudFlare’s implementation of OCSP, though, does not consistently provide a stapled OCSP response. Netcraft took 50 random CloudFlare IP addresses seen in the SSL survey and made 50 sequential requests with OCSP stapling enabled after an initial priming request which was discarded.
The number of CloudFlare IP Addresses responding with OCSP stapled grouped by the request number. 50 IP addresses were connected to with openssl s_client -status, the initial request was discarded
and then after a 5 second pause, 50 sequential requests were made.
Fewer than 50% of the CloudFlare IP addresses responded with an OCSP response stapled on the first non-discarded connection attempt. Even after 20 requests, the response rate is not consistent, some IP addresses still fail to staple an OCSP response on each and every SSL connection. This inconsistent behaviour may be down to a number of separate machines responding to the same IP address either in different locations, or behind a load balancer.
OCSP stapling, at least in its current form, does not exempt most browsers from all OCSP requests; even if the OCSP response for the certificate of the SSL site itself is stapled, the OCSP responses from the intermediates certificates — the chain of certificates which link the site’s certificate to a trusted certificate embedded in the browser — are not included. Yngve Pettersen, formerly of Opera, has recently authored RFC 6961 defining a standard which is intended to combat some of the problems with the current generation of OCSP stapling.
The following disclosure covers the TSR-2013-008, the Targeted Security
Release published on July 15th, 2013. Each vulnerability is assigned an
internal case number which is reflected below. Information regarding
the cPanel Security Level rankings can be found here:
http://go.cpanel.net/securitylevels
Case 71121
Summary
The Squirrelmail Webmail session file contained plain text passwords.
Security Rating
cPanel has assigned a Security Level of Minor to this vulnerability.
Description
cPanel includes the SquirrelMail Webmail suite as one option for
Webmail accounts to access their email using a web browser. The
included copy of SquirrelMail stored the password used to authenticate
in a cleartext format in its session files. The session files are
stored in the /tmp/ directory with with 0600 (rw——-) permissions,
limiting access to the plaintext passwords to the system user account.
Credits
This issue was discovered by Alex Kwiecinski of the Liquid Web Security
Team.
Solution
This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at
http://httpupdate.cpanel.net/.
Case 72157
Summary
Arbitrary File Modification vulnerability when suspending an account.
Security Rating
cPanel has assigned a Security Level of Important to this
vulnerability.
Description
cPanel & WHM includes functionality to automatically suspend cPanel
accounts that consume more than their allotted limits of disk and
bandwidth resources. The account suspension process makes several
changes inside the suspended user account’s home directory. It was
discovered that manipulations of virtual account password files that
are stored inside the user’s home directory were performed with the
effective permissions of the root user and without sufficient
protections against tampering. This allowed a local attacker whose
account was being suspended to manipulate sensitive files outside of
their home directory.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 71573
Summary
A reseller account with clustering privileges can modify any DNS zone
on the system.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability
Description
cPanel & WHM includes a DNS clustering system called DNSAdmin that
allows DNS changes to propagate beyond the local system. This system
functions through specific URLs inside WHM that are accessible only to
reseller accounts with the “clustering” privilege. The URLs in cpsrvd
that handle DNSAdmin cluster requests were not enforcing local zone
ownership correctly, allowing a malicious reseller with the clustering
privilege to send updates for DNS zones that did not belong to his
accounts.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/.
Case 71625
Summary
A reseller account with park-dns privileges can take control of any
domain on the system.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability
Description
WHM allows resellers with the “park-dns” ACL to assign ownership of a
parked domain from one cPanel account to another. This functionality
was not checking that the domain being reassigned belonged to an
account the reseller controlled. A malicious reseller account with the
“park-dns” ACL could use this flaw to take control of any other domains
on the system.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/
Case 71577
Summary
The Purchase and Install an SSL Certificate (Trustwave) feature does
not drop privileges during certificate file creation.
Security Rating
cPanel has assigned a Security Level of Important to this vulnerability
Description
The WHM “Purchase and Install an SSL Certificate” page allows reseller
accounts with the “ssl” or “ssl-buy” ACLs to purchase SSL certificates
from Trustwave for installation on the local system. This interface
failed to drop privileges before creating a file in the reseller’s home
directory, allowing malicious resellers with appropriate ACLs to
overwrite arbitrary files on the system.
Credits
This issue was discovered by Rack911.
Solution
This issue is resolved in the following builds:
* 11.39.0.5 & Greater
* 11.38.1.13 & Greater
* 11.36.1.15 & Greater
* 11.34.1.25 & Greater
* 11.32.6.17 & Greater
Please update your cPanel & WHM system to one of the aforementioned
versions or the latest public release available. A full listing of
published versions can always be found at http://httpupdate.cpanel.net/
For a PGP signed version, please go here.
(Jul 17) It was discovered that PHP could perform an invalid free request when processing crafted XML documents, corrupting the heap and potentially leading to arbitrary code execution. Depending on the PHP application, this vulnerability could be exploited remotely. [More…]
60 queries. 8.5 mb Memory usage. 1.308 seconds.