bgarlock / mod-spdy

Automatically exported from code.google.com/p/mod-spdy
0 stars 0 forks source link

CVE-2014-0160 fix needed #85

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Because Spdy changing the ssl library used by Apache, 

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl_with_npn.so

upgrading openssl and applying patches not effective, users should disable 
Spdy, until fixed.

Original issue reported on code.google.com by csanad.n...@gmail.com on 8 Apr 2014 at 8:55

GoogleCodeExporter commented 8 years ago
Note that just disabling the spdy module in Apache won't work, because the SSL 
library itself is replaced. Easiest fix on Debian is to remove the mod-spdy 
package from the system (for now).

Original comment by m...@praseodym.net on 8 Apr 2014 at 10:38

GoogleCodeExporter commented 8 years ago
Thanks for the report.

This has now been fixed in trunk and in the latest branch/tag, but we are 
working to update the binary releases ASAP.

If you have built mod_spdy from source, you should immediately rebuild from 
trunk or from tag 0.9.4.2 ***including re-running build_modssl_with_npn.sh to 
rebuild mod_ssl***.  If you have installed mod_spdy from one of the binary 
packages, you should uninstall the package (as mark@ notes above, don't just 
disable mod_spdy) until new binaries are available.

I will update this bug when the new binaries are up, hopefully in the next 24 
hours.

Original comment by mdste...@google.com on 8 Apr 2014 at 8:00

GoogleCodeExporter commented 8 years ago
I can confirm that my web server remained vulnerable to CVE-2014-0160 after 
updating openssl, and removing mod-spdy fixed it.

Original comment by jeka...@gmail.com on 8 Apr 2014 at 8:58

GoogleCodeExporter commented 8 years ago
New binaries for 0.9.4.2 (which fixes this vulnerability) have been rolled out, 
and are available here: https://developers.google.com/speed/spdy/mod_spdy/

If you've installed one of our previous binary releases (and did not disable 
auto-update), you should be able to easily upgrade using your package manager 
(apt or yum).

I'll be making an announcement to the mod-spdy-discuss list shortly.

Original comment by mdste...@google.com on 8 Apr 2014 at 10:24

GoogleCodeExporter commented 8 years ago
Email announcement: 
https://groups.google.com/forum/#!topic/mod-spdy-discuss/EwCowyS1KTU

Original comment by mdste...@google.com on 8 Apr 2014 at 10:39

GoogleCodeExporter commented 8 years ago
Issue 86 has been merged into this issue.

Original comment by mdste...@google.com on 9 Apr 2014 at 12:02

GoogleCodeExporter commented 8 years ago
I can confirm that the new binary packages are solving the issue: my server is 
not vulnerable to CVE-2014-0160 after installed and enabled the new mod_spdy 
package.

Thanks, the response time was awesome.

Original comment by csanad.n...@gmail.com on 9 Apr 2014 at 12:29

GoogleCodeExporter commented 8 years ago
Yes, this was fixed. But now the new mod-spdy-beta produces other insecurities: 
After installing it, I checked my server with 
https://www.ssllabs.com/ssltest/analyze.html and get: "This server supports 
anonymous (insecure) suites (see below for details). Grade set to F."

Deinstalling mod-spdy-beta had fixed that. Please, can you fix this? Thanks.

Original comment by AndreasP...@gmail.com on 9 Apr 2014 at 5:42

GoogleCodeExporter commented 8 years ago
Hi Andreas,

Most probably you've got a different issue. My installation got a grade A with 
the latest mod_spdy enabled.

Original comment by csanad.n...@gmail.com on 9 Apr 2014 at 5:48

GoogleCodeExporter commented 8 years ago
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE     112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE      128

And: With this version, TLS 1.2 and 1.1 are not supported, only TLS 1.0 - or 
are there any config files I don't know?

Original comment by AndreasP...@gmail.com on 9 Apr 2014 at 5:48

GoogleCodeExporter commented 8 years ago
@Andreas: I had the same problem after removing and then reinstalling 
mod-spdy-beta on an Ubuntu LTS server. I could fix my grade and bring it to A+ 
again by simply copying the setting recommended of 
https://bettercrypto.org/static/applied-crypto-hardening.pdf for Apache 
(section 2.2.1) into my default config and restarting Apache. I think the 
important part of that was the SSLCipherSuite which has been set to 
SSLCipherSuite 
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EEC
DH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD
5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AE
S128-SHA'

Original comment by norbert....@gmail.com on 9 Apr 2014 at 9:15

GoogleCodeExporter commented 8 years ago
@Adreas:
I updated my SSLCipherSuite to be
SSLCipherSuite  HIGH:MEDIUM:!ADH:!MD5:!ECDH
This blocks the ECDH keys that are failing the test.
I first tried Norberts list and it worked for the test but it broke SPDY.
I went to the site http://spdycheck.org/ to test if SPDY was working, and it 
wasn't.
After I changed it to the one I suggested above, SPDY works, and QUALSYS is 
Happy.
WIN!

Original comment by evan.swe...@gmail.com on 14 Apr 2014 at 11:18

GoogleCodeExporter commented 8 years ago
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE      256
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE     112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE      128
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE      128

Original comment by snbtruck...@gmail.com on 14 May 2014 at 9:08

GoogleCodeExporter commented 8 years ago
Port 43

Original comment by 208.426....@gmail.com on 31 Oct 2014 at 6:04