| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jul 2017 02:07:57 -0500 From: Oscar Martinez <oscarmrdc@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Broken mutual tls authentication on bluemix # Date : 07/28/2017 # Author : Oscar Martinez # Vendor : IBM # Software : bluemix https://www.ibm.com/cloud-computing/bluemix/ # Vulnerability Description: You can use routes in your container group to access your server. If you want to protect it, you can use mutual tls authentication ( https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/ ) So, if you want to connect to your bluemix application (container group with route https://<yourdomain>/), you should send your client certificate. BUT, any user CAN acces it without the client certificate. 1.Use https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/ to have mutual tls authentication https://<yourdomain> is configurated with custom domain in Bluemix (Bluemix Dashboard > Manage Organizations > Domains > Add Domain) to force mutual tls authentication and route with the custom domain to your application (Go to the Application Overview page > Edit Routes and App Access). 2. Normal behaviour: User should send the client certificate openssl s_client -connect <yourdomain>:443 -servername <yourdomain> 3. Abnormal behaviour: User DON'T need to send the client certificate openssl s_client -connect <yourdomain>:443 GET / HTTP/1.0 It is because the bluemix server (that does the routing) have 2 certificates. 1. CN=*.mybluemix.net (this route doesn't appear at the gui - containers group routing) and doesn't force the use of the client certificate. 2. the custom uploaded certificate, CN=<yourdomain> Time Line --------- * 06/21/2017: First contact with vendor ( https://www.ibm.com/scripts/contact/contact/us/en/security_vulnerabilities/) * 06/22/2017: IBM PSIRT assigned PSIRT Advisory <8944> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists