Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522994 (CVE-2014-3616)

Summary: <www-servers/nginx-1.7.6: virtual host confusion (CVE-2014-3616)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: anthonyryan1, bugs, dev-zero, limanski, proxy-maint, steffen.weber, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1142573
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
D, ED, EROOT and NGINX_HOME_TMP usage corrected none

Description Agostino Sarubbo gentoo-dev 2014-09-17 08:09:51 UTC
From ${URL} :

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and 
session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on.

The upstream changelog describes the issue as:

""
it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks
""

Full details and some mitigation strategies are available in their paper:

http://bh.ht.vc/vhost_confusion.pdf

It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases:

http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html

Upstream patch:

http://trac.nginx.org/nginx/changeset/5841/nginx

External References:

http://bh.ht.vc/vhost_confusion.pdf


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johan Bergström 2014-09-17 08:17:04 UTC
Thanks for the bug report. We'll update nginx shortly.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-09-18 17:53:11 UTC
*** Bug 523146 has been marked as a duplicate of this bug. ***
Comment 3 Mike Limansky 2014-09-24 17:54:05 UTC
Any news on this bug? 

I've just checked, it emerges successfully with renamed ebuild.
Comment 4 Darko Luketic 2014-10-01 21:06:57 UTC
1.7.6 is out

Changes with nginx 1.7.6                                         30 Sep 2014

    *) Change: the deprecated "limit_zone" directive is not supported
       anymore.

    *) Feature: the "limit_conn_zone" and "limit_req_zone" directives now
       can be used with combinations of multiple variables.

    *) Bugfix: request body might be transmitted incorrectly when retrying a
       FastCGI request to the next upstream server.

    *) Bugfix: in logging to syslog.
Comment 5 Johan Bergström 2014-10-02 03:22:48 UTC
1.7.5 is in the nginx-overlay (https://github.com/gentoo/nginx-overlay/tree/nginx-1.7.5). I will bump to 1.7.6. Since I'm not a gentoo dev just yet, the co-maintainers needs to help out. I've been talking to them and they will assist shortly.
Comment 6 Johan Bergström 2014-10-02 08:36:26 UTC
Just bumped to 1.7.6 in our overlay. Please test: https://github.com/gentoo/nginx-overlay/pull/12
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-02 12:41:59 UTC
*** Bug 524254 has been marked as a duplicate of this bug. ***
Comment 8 Thomas Deutschmann gentoo-dev Security 2014-10-02 18:40:07 UTC
Created attachment 385948 [details, diff]
D, ED, EROOT and NGINX_HOME_TMP usage corrected

(In reply to Johan Bergström from comment #6)
> Just bumped to 1.7.6 in our overlay. Please test:
> https://github.com/gentoo/nginx-overlay/pull/12

Looks good. Passed my test suite ;)

Two things I noticed:
1) Wrong usage of D, ED, EROOT... some variables ends with a slash, some don't. See my attached diff. Nothing important but... ;)

Related to bug #465772.


2) When I set the "luajit" USE flag but don't have dev-lang/luajit installed, that's not a fatal error. Well, I only saw this, because I was testing using the "ebuild" command which don't pull in dependencies... but I was wondering that nginx only said

>>> Configuring source in /var/tmp/portage/www-servers/nginx-1.7.6/work/nginx-1.7.6 ...
Package luajit was not found in the pkg-config search path.
Perhaps you should add the directory containing `luajit.pc'
to the PKG_CONFIG_PATH environment variable
No package 'luajit' found
Package luajit was not found in the pkg-config search path.
Perhaps you should add the directory containing `luajit.pc'
to the PKG_CONFIG_PATH environment variable
No package 'luajit' found
[...]
adding module in /var/tmp/portage/www-servers/nginx-1.7.6/work/lua-nginx-module-0.9.12
checking for Lua library ... found
checking for export symbols by default (-E) ... found
checking for export symbols by default (--export-all-symbols) ... not found
checking for SO_PASSCRED ... found
 + ngx_http_lua_module was configured
[...]

but build succeeded.
Comment 9 Johan Bergström 2014-10-03 00:14:07 UTC
@Thomas: Thanks for your review. I'll look at your suggestions and incorporate them in the overlay.

As for further review, either contact me directly (jbergstroem@fnode) file a pull request at github or open a new bug in the bugzilla; I don't want to clutter security people's inboxes for ebuild refinements. The changes you suggest doesn't warrant holding the security bump back (imo). Thanks again.
Comment 10 Tiziano Müller (RETIRED) gentoo-dev 2014-10-15 10:20:55 UTC
sorry for the delay, 1.7.6 is now in the tree, although without the corrections mentioned here.
Comment 11 Manuel Rüger (RETIRED) gentoo-dev 2014-10-15 13:07:49 UTC
Is there any reason why you dropped keywords?
Comment 12 Agostino Sarubbo gentoo-dev 2014-10-15 16:05:43 UTC
Arches, please test and mark stable:                                                                                                                                                                                                                                           
=www-servers/nginx-1.7.6                                                                                                                                                                                                                                                       
Target keywords : "amd64 x86"
Comment 13 Agostino Sarubbo gentoo-dev 2014-10-15 19:02:30 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-10-15 19:03:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Tiziano Müller (RETIRED) gentoo-dev 2014-10-17 07:11:36 UTC
(In reply to Agostino Sarubbo from comment #14)
> x86 stable.
> 
> Maintainer(s), please cleanup.

done.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 01:27:30 UTC
CVE-2014-3616 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3616):
  nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or
  ssl_session_ticket_key for multiple servers, can reuse a cached SSL session
  for an unrelated context, which allows remote attackers with certain
  privileges to conduct "virtual host confusion" attacks.
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-05 00:16:04 UTC
GLSA Vote: Yes
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-01-05 00:38:14 UTC
GLSA vote: no.
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-01-05 00:39:31 UTC
oops, wrong bug. Vote yes. Request filed.
Comment 20 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-17 22:11:10 UTC
Cleanup was done.

GLSA drafted and ready for peer review.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 20:49:29 UTC
This issue was resolved and addressed in
 GLSA 201502-06 at http://security.gentoo.org/glsa/glsa-201502-06.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).