Closed JLLeitschuh closed 5 years ago
@mach6 Will you be auditing previous releases? Also, can you communicate this vulnerability to the PayPal security team? It got bounced by the HackerOne team who pre-filters reports.
@mach6 Would you like me to file for the CVE number? Or can you? I've got a lot on my plate, so if you can do so, that would be good.
Ping!
CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-494: Download of Code Without Integrity Check
The build files indicate that this project is uploading artifacts over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.
This vulnerability has a CVSS v3.0 Base Score of 8.1/10 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This isn't just theoretical
POC code has existed since 2014 to maliciously compromise a JAR file inflight. See:
MITM Attacks Increasingly Common
See:
These Vulnerabilities are Considered "Out Of Scope" by the PayPal Security Team
I originally reported this vulnerability privately to the PayPal bug bounty program but it was determined to be "Out Of Scope" by the HackerOne team that pre-filters these reports.
If this is considered a security vulnerability, I'd advise the PayPal team to communicate this to the HackerOne team.
Here is the link to my original report: https://hackerone.com/reports/504119
Source Locations
Insecure Download
https://github.com/paypal/NNAnalytics/blob/4701020d582e002fe6982483adf86f5d99298d65/build.gradle#L136-L138
https://github.com/paypal/gimel/blob/33192730edd6741ef459fba98b84e20d4f3ff980/pom.xml#L42-L58
https://github.com/paypal/spring-social-security-paypal-openidconnect-quickstart/blob/6a57453c67e404652f966f8414943008ec2da74c/pom.xml#L203-L224
https://github.com/paypal/aurora/blob/a2021e6829fb6024eac45f4afe54e2fbc70b847c/grails-app/conf/BuildConfig.groovy#L45
WARNING! If any of these builds are using a shared or re-used
~/.gradle
or~/.m2
cache between builds and any of these downloads were maliciously compromised, the compromised jar may remain inside of cache directory and continue to be used in the future.Insecure Upload
Passwords in this upload are being sent in plaintext and should be considered compromised!
https://github.com/paypal/digraph-parser/blob/3a947dd99e521c23da657bd56cb85f46bca56fa6/pom.xml#L21-L30
https://github.com/paypal/Gibberish-Detector-Java/blob/034bbbcce7bf5d4099e02a64362b31bddbbb29de/pom.xml#L40-L43
https://github.com/paypal/SeLion/blob/248163ce623b3d8a6c0444c677a2cedce2aec823/pom.xml#L70-L73
Fix and Public Disclosure
At a minimum, all of these code locations where artifacts are uploaded insecurely needs to be fixed. Previous releases should be rebuilt with the fix applied. The checksum of the released artifacts and artifacts built in a trusted environment should be made. If the checksums match, you can be certain that they weren't compromised.
If the checksums don't match, indicating a compromised artifact, CVE numbers need to be issued for the potentially malicious artifacts.
The ability to check if checksums match assume that these projects have reproducible builds.