search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.16k stars 682 forks source link

ClamAV LTS RPMs compatibility issues with both RHEL9/Stream9 (all profiles) and RHEL8/Stream8 (FIPS modes) #1223

Open BJSmithIEEE opened 4 months ago

BJSmithIEEE commented 4 months ago

PREFACE: I want to thank the Cisco-Talos group for building RPMs of ClamAV LTS starting with 1.0.4, which saves us the issue of building a complete Rust environment on RHEL8/Stream8, which is something not even the Fedora EPEL8 team is doing.

RPM Package Digest is insecure MD5/SHA1

Putting digital signatures to the side (we can always sign packages with our own), neither any RHEL9/Stream9 installation, nor any RHEL8/Stream8 with a FIPS profile (user-space) or FIPS kernel mode (hard enforcement, blocks everything non-FIPS), will install the prebuilt ClamAV LTS RPMs, as they are built -- the 'digests' just for integrity checking -- with old MD5/SHA1 hashes.

Again, this is not allowed at all in EL9, as well as EL8 when EL8 is in FIPS (or other secure) profiles/modes. 

$ sudo rpm -Uhv --test ./yum/.staging/TPS8/x86_64/clamav_clamav-lts/clamav-1.0.5.linux.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
        package clamav-1.0.5-1.x86_64 does not verify: no digest

On an EL8 system not in FIPS mode ... 

$ rpm -Kv ./yum/.staging/TPS8/x86_64/clamav_clamav-lts/clamav-1.0.5.linux.x86_64.rpm
./yum/.staging/TPS8/x86_64/clamav_clamav-lts/clamav-1.0.5.linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK

Considering these are the two (2) supported RHEL/Stream releases after June of this year (RHEL7/CentOS7 goes EoL '24 June), I would recommend you consider the following changes to your RPM Macros for building. 

$ cat ~/.rpmmacros
#
# ~/.rpmmacros

 ... cut ...

### RPM Digest (Checksum/Integrity) Configuration

# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 10
%_source_filedigest_algorithm 10

### [Optional] RPM Signature (Digital Signature) Configuration

# Use GnuPG
%_signature gpg
%__gpg /usr/bin/gpg
# Currently GPG key XXXXXX (expires YYYY-bbb-dd)
%_gpg_name you@domain

# Maximum RPM v3 compatibility (RHEL7/CentOS7) and force SHA512 (still supported)
%__gpg_sign_cmd %{__gpg} --force-v3-sigs --digest-algo=sha512 --batch \
 --no-verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" \
 -sbo %{__signature_filename} %{__plaintext_filename}

 ... cut ...

It uses SHA512, which should be compatible with the last RHEL7.9 / CentOS7.9 Updates, and similar, decade-old distributions.

I've also included the optional digital signature stanza (should you wish to add one) to even generate an older RPMv3 format (than RPMv4) for them too. This is all while still being EL8/9 FIPS compliant, and possibly the forthcoming EL10 (Stream 10) due in 2025 (I do need to test if RPMv3 is still supported in EL10).

This should be read/supported by CPack in CMake, which I see you are using.

P.S. I will reserve further comment on CPack, but would be very interested in assisting with these, and other RPM SPEC meta-data (e.g., obsoleting EPEL ClamAV), you could use in the package, even with CPack. I would be very interested in understanding how you are building these LTS 1.0.4+ release RPM packages, especially your Rust environment, if you are using RHEL8/Stream8, as I cannot reproduce a working environment. I.e., Installing the Rust module from RHEL8 Application Streams, I cannot get the RPM Macros/Build support to work, not even after pulling various, older support from EPEL8 or other sources.

BJSmithIEEE commented 4 months ago

Just to confirm, in addition to RHEL9 compatibility issues, there will be continued, US Gov't non-compliance with FIPS, NIST, DISA and just about every standard out there for RHEL8, which will affect both federal and regulated commerciaI users (e.g., financial),, with the latest LTS 1.0.6 RPM release too ... 

$ rpm -Kv clamav-1.0.6.linux.x86_64.rpm
clamav-1.0.6.linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK

As documented earlier, the 'fix' for this is literally this simple!

$ cat ~/.rpmmacros
#
# ~/.rpmmacros

 ... cut ...

### RPM Digest (Checksum/Integrity) Configuration

# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 10
%_source_filedigest_algorithm 10

 ... cut ...
BJSmithIEEE commented 2 months ago

Anyone? Anyone? Buehler? Buehler?

micahsnyder commented 2 months ago

Thanks for the ping and the original report.

I gave this a try a moment ago by creating a ~/.rpmmacros file in our CentOS 7 containers used to build the ClamAV RPM's. For this file I included what pasted (nothing else):

### RPM Digest (Checksum/Integrity) Configuration

# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 10
%_source_filedigest_algorithm 10

I checked the RPM from the build and found it still only uses MD5 and SHA1 for the digest:

[root@3a815301081a /]# rpm /src/clamav-1.4.0-rc.linux.x86_64.rpm -Kv
/src/clamav-1.4.0-rc.linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK

I tried searching a bit online for how to change the RPM digest with CMake / CPack and came up empty handed. Did I do something wrong, or do you have any additional tips specific to CPack?

BJSmithIEEE commented 2 months ago

On RHEL7, try 8 (SHA256) and see if it works. I've been building with RHEL8 so much, it may not offer 10 (SHA512) support in it's older RPM. Those also might be RHEL8+ macros. I need to verify.

Here's the Red Hat article #3359321 on several details, which has been updated.

https://access.redhat.com/articles/3359321

As well as Red Hat's blog about how even non-FIPS RHEL9 no longer supports SHA1 (aka SHA192), period.

https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

micahsnyder commented 1 month ago

Oh I forgot to update this. We switched to alma linux 8 to build the RPM's and included the .rpmmacros suggestion.

I now see this on our internal builds, tested in an almalinux:8 container:

[root@2167c3fd20bd /]# rpm -Kv --test /src/clamav-1.4.0-rc.linux.x86_64\ \(1\).rpm
/src/clamav-1.4.0-rc.linux.x86_64 (1).rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK
PR-JF commented 2 weeks ago

Would be very appreciated if this could be implemented.

We are using ClamAV on Rocky 9 to check our compliance boxes, but we also need the FIPS box checked too :)

As @BJSmithIEEE mentioned, RHEL9 doesn't support SHA1 for package signing, regardless if FIPS is enabled or not because it's considered insecure.

https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9