Notes on client side heartbleed vulnerabilities


#1

I just stumbed across this repo with tests for client-side heartbleed
vulnerabilities:

I validated that remote_file to an SSL url is exploitable using omnibus
chef-client 11.10.4 on ubuntu-13.10 (and it should not matter what
distro you use since omnibus uses a consistent openssl verison). The
current 11.12.2 release is not exploitable with that script. I also
validated that Chef::REST connections are similarly exploitable in
11.10.4 and not in 11.12.2. It looks like this code is also a proof of
concept that on the client side you can MITM the connection and attack
the client before cert validation, so ssl_verify_mode :verify_peer in
client.rb does not mitigate the attack.

Obviously, though, you have to use SSL for the attack to succeed so
remote_file requests to http:// urls are not vulnerable, and you can use
non-SSL connections for your chef_server_url, although that probably
opens you up to worse vulnerabilities for attackers with the same level
of access they’d need in order to exploit client-side heartbleed.

The remote_file side of the exploit is probably worse, since that could
be servers on the internet outside of your domain of control. The
chef_server would require MITM’ing your TCP connection to your chef
server which is a level of network access that would cause the security
at most sites to crumble in much easier ways.

Interestingly, the commit that introduced heartbleed to our omnibus
codebase was mine:

Which was on Fri Dec 28 11:03:28 2012

It looks like omnibus Chef 11.0.0 was shipped with vulnerable openssl,
and 10.16.4 was the first 10.x omnibus chef-client which shipped with it
(of course if you’re running pre-10.16.4 chef then you’ve still got
vulnerable libyaml and numerous other ruby security bugs from the past
18 months or so to worry about…)

I’m not sure about which OSS/EC chef-server versions would have been
vulnerable, but since the omnibus-software codebase is shared, anything
released in 2013 (after my commit) would be vulnerable.

Hopefully none of this is shocking news to anyone following the impact
of this bug. Advice to upgrade your chef-client, chef-server and regen
all your key material is unchanged: