Closed reedloden closed 8 years ago
😨😭🔫
EDIT: this isn't as bad as has been reported. See my comment below.
This vulnerability has now been easily weaponized. https://www.evilsocket.net/2016/01/30/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability/
Hello, unfortunately I can no longer contribute tested changes to Hermes, and have since moved on, so somebody else will have to address this. Please contact me or @nriley if you have interest in maintaining and actively developing Hermes.
As for the risk factor of this vulnerability, it isn't very significant when one considers Sparkle uses DSA signatures to sign and verify updates; and there is no network of trust associated with the key pair.
Regardless this is still a vulnerability, so it should be fixed, if anybody is up to taking over.
As for the risk factor of this vulnerability, it isn't very significant when one considers Sparkle uses DSA signatures to sign and verify updates; and there is no network of trust associated with the key pair.
See the link in the OP, the DSA stuff doesn't matter.
My mistake -- I had only read the second link :). Yes looks like the weak app signing via DSA is irrelevant. At any rate, I don't have the resources to fix this issue, which would require:
hermesapp.org
One could get a letsencrypt cert, however I don't have a Mac to do (2).
Somebody needs to take over the project if they want to see this fixed.
@winny- all that's needed is an updated version of sparkle. you don't need to do any HTTPS stuff.
Sparkle 1.13.1
specifically
Unfortunately to push a new version of Sparkle in Hermes, one needs to have XCode and friends. In addition they will need two keys which I can hand over, provided you're trust worthy.
https://github.com/HermesApp/Hermes/blob/master/Documentation/ReleaseEngineering.md
Just an fyi: 1.13.1 on website might still be vulnerable
For the SSL/TLS option, you could use CloudFlare to front the domain and then just pass through to https://HermesApp.github.io transparently. That is a free option and doesn't require you to do anything on your end to host the website or proxy the SSL/TLS cert.
In any case, you don't even need to get HTTPS on hermesapp.org to solve this particular issue. If you see in my diff, I swapped it to use https://raw.githubusercontent.com/... which takes the domain out of it entirely and goes directly to GitHub.
Also, it's best to get things on HTTPS and upgrade Sparkle. Only doing the latter just means that any more Sparkle vulns could cause another security issue.
On Saturday, January 30, 2016, Greg Slepak notifications@github.com wrote:
Just an fyi: 1.13.1 on website might still be vulnerable https://github.com/sparkle-project/Sparkle/issues/726
— Reply to this email directly or view it on GitHub https://github.com/HermesApp/Hermes/issues/254#issuecomment-177403026.
@taoeffect check the last comment in https://trac.videolan.org/vlc/ticket/11987#comment:29 -- perhaps you want to try with something besides VLC?
On Saturday, January 30, 2016, Reed Loden reed@reedloden.com wrote:
For the SSL/TLS option, you could use CloudFlare to front the domain and then just pass through to https://HermesApp.github.io transparently. That is a free option and doesn't require you to do anything on your end to host the website or proxy the SSL/TLS cert.
In any case, you don't even need to get HTTPS on hermesapp.org to solve this particular issue. If you see in my diff, I swapped it to use https://raw.githubusercontent.com/... which takes the domain out of it entirely and goes directly to GitHub.
Also, it's best to get things on HTTPS and upgrade Sparkle. Only doing the latter just means that any more Sparkle vulns could cause another security issue.
On Saturday, January 30, 2016, Greg Slepak <notifications@github.com javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:
Just an fyi: 1.13.1 on website might still be vulnerable https://github.com/sparkle-project/Sparkle/issues/726
— Reply to this email directly or view it on GitHub https://github.com/HermesApp/Hermes/issues/254#issuecomment-177403026.
@reedloden did you mean to send that reply to this thread or here? Either way, I can't get even the most basic of modules working (like hack_title.rb
).
@taoeffect The other thread, sorry. I'm watching all your threads right now as you investigate this, and doing it from mobile while I'm out with friends isn't helping with keeping track of stuff. Hah.
Sorry, I can't address this either — too many other projects contending with my time and resources, and I don't even use Hermes as a user any more. If someone (or more than one person) wants to take over Hermes maintenance, I'm happy to facilitate this in any way possible, but they need to be actually committed to it. I've had enough experiences where people asked to contribute to one of my projects, I spent a bunch of time trying to help and then never heard from them again.
There are ways to mitigate against this and it's also not as bad as reported.
Just published details:
It turns out that I was mistaken, in some situations Gatekeeper does get bypassed. I just published a post with details + mitigations. Thanks to @radekk for insisting that I was missing something!
https://vulnsec.com/2016/osx-apps-vulnerabilities/
Hermes is vulnerable to this, so would be good to get Sparkle updated.