Project

General

Profile

Bug #25705

Use HTTPS for updates

Added by Will Dormann about 2 years ago. Updated 8 months ago.

Status:
Done
Priority:
No priority
Assignee:
Sean Fagan
Category:
OS
Target version:
11.2-U2
Seen in:
11.0-U2
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Upon installing an update on a FreeNAS system, I noticed the following in /var/log/debug.log

Aug 28 08:57:38 HOSTNAME updated.py: [freenasOS.Configuration:767] TryGetNetworkFile([u'http://update.ixsystems.com/FreeNAS/Packages/base-os-9.10.2-U6-f6fe96f39c77c8db48c23815e290c103.tgz', u'http://update-master.ixsystems.com/FreeNAS/Packages/base-os-9.10.2-U6-f6fe96f39c77c8db48c23815e290c103.tgz']):  Read 29360128 bytes

This seems to be a pretty clear indication that FreeNAS is insecurely checking for updates. (Note the use of "HTTP" instead of "HTTPS").
FreeNAS should update itself in a secure manner. While the update mechanism appears to check the signature of the downloaded update:

Aug 28 09:02:03 HOSTNAME updated.py: [freenasOS.Manifest:448] Verify command = ['/usr/local/libexec/verify_signature', '-K', '/usr/local/share/certs/Production.pem', '-C', '/usr/local/share/certs/iX-CA.pem', '-S', u'DkFKkgqcePwGMZ9JkZxg0bzUCYAvl0aOXjqicTqgVSMbji2q4GGh6UD/NXoMTmOlDxCl66Q6jCY1Sj6calFtExMg2NYR2jWgTRvY7f1qBDsk9oez5IBD6eRiqtqlvJhLylHVRztVIhGMgzg7p9t82wn9yqRBPaNV5gAw19KeHmeJYlI2ISAS/0NDBWtAdo3OeZh2zp0lWwoqXIkhih6GSBZFMc6klcxGUgGFLlbpwtClt7EvlJl3FhIYq5CpuyuLVggL1IgWKN1qv9Xd789VUDMefyQ6CM3zTzsHlpd4ZHzHOzkV9kfHluNNRYIGU96mmBxm2PMNZJoWDaTFoj5fhw==', '-R', '/tmp/tmphy0KCB.pem']
Aug 28 09:02:03 HOSTNAME updated.py: [freenasOS.Manifest:464] Signature check succeeded

using an insecure channel (HTTP) for updates still may leave open the possibility of an attacker to perform a "downgrade" or other attack. Even just the process of checking for updates could put a system at risk, e.g. if FreeNAS doesn't sanitize the data obtained from e.g. <http://update-master.ixsystems.com/FreeNAS/FreeNAS
-9.10-STABLE/ChangeLog.txt>

For more info, see:
https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html

Screen Shot 2019-01-30 at 11.01.45 AM.png (124 KB) Screen Shot 2019-01-30 at 11.01.45 AM.png Jeff Ervin, 01/30/2019 08:29 AM
51393

Related issues

Related to FreeNAS - Bug #54765: Middleware must use HTTPS for downloads Closed
Has duplicate FreeNAS - Bug #51039: System > Update shows "Update Server" with http URL, not httpsClosed

Associated revisions

Revision 7969e8aa (diff)
Added by Sean Fagan 9 months ago

In order to support https for the update sites, I needed to switch to a different module/package for handling the downloads. The requests package is already in the system, and appears to handle the cases I want. Ticket: #25705 (cherry picked from commit 8039c24785f8d0abdb384af995321f489b267588)

History

#1 Updated by Dru Lavigne about 2 years ago

  • Assignee changed from Release Council to Sean Fagan

#2 Updated by Sean Fagan about 2 years ago

  • Status changed from Unscreened to Closed: Not To Be Fixed

#3 Updated by Dru Lavigne about 2 years ago

  • Tracker changed from Bug to Purchase Requests
  • Project changed from FreeNAS to SysAdmin
  • Category changed from 1 to IT Infrastructure
  • Assignee changed from Sean Fagan to David Discher

Reassigning to IT to enable HTTPS on the backend.

#4 Updated by Dru Lavigne about 2 years ago

  • Tracker changed from Purchase Requests to Bug
  • Project changed from SysAdmin to FreeNAS
  • Category changed from IT Infrastructure to Forums/Websites
  • Status changed from Closed: Not To Be Fixed to Unscreened
  • Seen in set to 11.0-U2
  • Hide from ChangeLog set to No
  • ChangeLog Required set to No
  • Needs QA set to Yes
  • QA Status Not Tested added

#5 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Unscreened to 46
  • Assignee changed from David Discher to Kris Moore

Any ETA from IT when this might happen?

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

  • Status changed from 46 to Screened

I'll work with David to see when we can get https:// across the board enabled.

#8 Updated by Ross Morris almost 2 years ago

Kris Moore wrote:

I'll work with David to see when we can get https:// across the board enabled.

Hi Kris! Would that include www.freenas.org as well or would that be better covered in a new issue? I went to look up something on the website and was quite saddened to see https:// redirect to http:// instead of the other way around

#9 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

Yea, we'll need a new ticket for Web team to do the https switchover.

#10 Updated by Dru Lavigne almost 2 years ago

  • Target version set to 11.2-BETA1

#11 Updated by Dru Lavigne over 1 year ago

  • Status changed from Screened to Not Started

#12 Updated by Dru Lavigne over 1 year ago

  • Status changed from Not Started to In Progress

#14 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 1 year ago

  • Due date set to 03/09/2018

#15 Updated by Dru Lavigne over 1 year ago

  • Status changed from In Progress to Blocked
  • Target version changed from 11.2-BETA1 to 11.2-RC2

#16 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 1 year ago

  • Severity set to New

#18 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Kris Moore to David Discher
  • Target version changed from 11.2-RC2 to Backlog

#19 Updated by Dru Lavigne over 1 year ago

  • Status changed from Blocked to In Progress

#20 Updated by Dru Lavigne 12 months ago

  • Assignee changed from David Discher to Jaron Parsons

#21 Updated by Dru Lavigne 11 months ago

  • Has duplicate Bug #51039: System > Update shows "Update Server" with http URL, not https added

#22 Updated by Warren Block 11 months ago

  • Related to Bug #54765: Middleware must use HTTPS for downloads added

#23 Updated by Sean Fagan 11 months ago

I noticed we did have https support for the mirrors, so I made a PR and asked William to review it.
master PR: https://github.com/freenas/freenas-pkgtools/pull/12
followup master PR: https://github.com/freenas/freenas-pkgtools/pull/13

#24 Updated by Dru Lavigne 11 months ago

  • Category changed from Forums/Websites to OS
  • Assignee changed from Jaron Parsons to Sean Fagan

#25 Updated by Sean Fagan 11 months ago

  • Status changed from In Progress to Ready for Testing

It's in now. Nightlies should get it soon. This is kinda exciting.

#26 Updated by Dru Lavigne 11 months ago

  • Target version changed from Backlog to 11.2-U2

#29 Updated by Dru Lavigne 9 months ago

  • Status changed from Ready for Testing to In Progress

#32 Updated by Sean Fagan 9 months ago

  • Private changed from Yes to No

#36 Updated by Dru Lavigne 8 months ago

  • Status changed from In Progress to Ready for Testing
  • Needs Merging changed from Yes to No

#37 Updated by Dru Lavigne 8 months ago

  • Subject changed from FreeNAS update mechanism should use HTTPS to Use HTTPS for updates

#38 Updated by Bonnie Follweiler 8 months ago

Acceptance Criteria: check to make sure updates continue to work

#40 Updated by Jeff Ervin 8 months ago

51393

Test Passed FreeNAS-11.2-U2-INTERNAL79

Updates continue to work.

#42 Updated by Dru Lavigne 8 months ago

  • Status changed from Passed Testing to Done
  • Needs Doc changed from Yes to No

Also available in: Atom PDF