lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJrZ1ofgxH_XphinBczDX4TvhJXgb7i9MAOq-y7e=0WFFZ91UQ@mail.gmail.com>
Date: Fri, 28 Jul 2017 02:07:57 -0500
From: Oscar Martinez <oscarmrdc@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Broken mutual tls authentication on bluemix

# Date : 07/28/2017
# Author : Oscar Martinez
# Vendor : IBM
# Software : bluemix https://www.ibm.com/cloud-computing/bluemix/

# Vulnerability Description:
You can use routes in your container group to access your server.
If you want to protect it, you can use mutual tls authentication (
https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/
)
So, if you want to connect to your bluemix application (container group
with route https://<yourdomain>/), you should send your client certificate.
BUT, any user CAN acces it without the client certificate.

1.Use
https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/
to have mutual tls authentication
https://<yourdomain> is configurated with custom domain in Bluemix (Bluemix
Dashboard > Manage Organizations > Domains > Add Domain) to force mutual
tls authentication and route with the custom domain to your application (Go
to the Application Overview page > Edit Routes and App Access).

2. Normal behaviour: User should send the client certificate
openssl s_client -connect <yourdomain>:443 -servername <yourdomain>

3. Abnormal behaviour: User DON'T need to send the client certificate
openssl s_client -connect <yourdomain>:443
GET / HTTP/1.0

It is because the bluemix server (that does the routing) have 2
certificates.
1. CN=*.mybluemix.net (this route doesn't appear at the gui - containers
group routing) and doesn't force the use of the client certificate.
2. the custom uploaded certificate, CN=<yourdomain>

Time Line
---------
* 06/21/2017: First contact with vendor (
https://www.ibm.com/scripts/contact/contact/us/en/security_vulnerabilities/)
* 06/22/2017: IBM PSIRT assigned PSIRT Advisory <8944>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ