paypal / SeLion

Enabling Test Automation in Java
http://selion.io
Apache License 2.0
281 stars 233 forks source link

[SECURITY] Releases are published insecurely #387

Closed JLLeitschuh closed 5 years ago

JLLeitschuh commented 5 years ago

CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-494: Download of Code Without Integrity Check

The build files indicate that this project is uploading artifacts over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This isn't just theoretical

POC code has existed since 2014 to maliciously compromise a JAR file inflight. See:

MITM Attacks Increasingly Common

See:

These Vulnerabilities are Considered "Out Of Scope" by the PayPal Security Team

I originally reported this vulnerability privately to the PayPal bug bounty program but it was determined to be "Out Of Scope" by the HackerOne team that pre-filters these reports.

If this is considered a security vulnerability, I'd advise the PayPal team to communicate this to the HackerOne team.

Here is the link to my original report: https://hackerone.com/reports/504119

Source Locations

Insecure Download

https://github.com/paypal/NNAnalytics/blob/4701020d582e002fe6982483adf86f5d99298d65/build.gradle#L136-L138

https://github.com/paypal/gimel/blob/33192730edd6741ef459fba98b84e20d4f3ff980/pom.xml#L42-L58

https://github.com/paypal/spring-social-security-paypal-openidconnect-quickstart/blob/6a57453c67e404652f966f8414943008ec2da74c/pom.xml#L203-L224

https://github.com/paypal/aurora/blob/a2021e6829fb6024eac45f4afe54e2fbc70b847c/grails-app/conf/BuildConfig.groovy#L45

WARNING! If any of these builds are using a shared or re-used ~/.gradle or ~/.m2 cache between builds and any of these downloads were maliciously compromised, the compromised jar may remain inside of cache directory and continue to be used in the future.

Insecure Upload

Passwords in this upload are being sent in plaintext and should be considered compromised!

https://github.com/paypal/digraph-parser/blob/3a947dd99e521c23da657bd56cb85f46bca56fa6/pom.xml#L21-L30

https://github.com/paypal/Gibberish-Detector-Java/blob/034bbbcce7bf5d4099e02a64362b31bddbbb29de/pom.xml#L40-L43

https://github.com/paypal/SeLion/blob/248163ce623b3d8a6c0444c677a2cedce2aec823/pom.xml#L70-L73

Fix and Public Disclosure

At a minimum, all of these code locations where artifacts are uploaded insecurely needs to be fixed. Previous releases should be rebuilt with the fix applied. The checksum of the released artifacts and artifacts built in a trusted environment should be made. If the checksums match, you can be certain that they weren't compromised.

If the checksums don't match, indicating a compromised artifact, CVE numbers need to be issued for the potentially malicious artifacts.

The ability to check if checksums match assume that these projects have reproducible builds.

mach6 commented 5 years ago

Addressed with https://github.com/paypal/SeLion/commit/0f01745f9ec00aed4543c6a75aa82df7a226e2f0

JLLeitschuh commented 5 years ago

@mach6 Will you be auditing previous releases? Also, can you communicate this vulnerability to the PayPal security team? It got bounced by the HackerOne team who pre-filters reports.

JLLeitschuh commented 5 years ago

@mach6 Would you like me to file for the CVE number? Or can you? I've got a lot on my plate, so if you can do so, that would be good.

https://cve.mitre.org/cve/request_id.html

JLLeitschuh commented 5 years ago

Ping!