Bug #25705
Use HTTPS for updates
Description
Upon installing an update on a FreeNAS system, I noticed the following in /var/log/debug.log
Aug 28 08:57:38 HOSTNAME updated.py: [freenasOS.Configuration:767] TryGetNetworkFile([u'http://update.ixsystems.com/FreeNAS/Packages/base-os-9.10.2-U6-f6fe96f39c77c8db48c23815e290c103.tgz', u'http://update-master.ixsystems.com/FreeNAS/Packages/base-os-9.10.2-U6-f6fe96f39c77c8db48c23815e290c103.tgz']): Read 29360128 bytes
This seems to be a pretty clear indication that FreeNAS is insecurely checking for updates. (Note the use of "HTTP" instead of "HTTPS").
FreeNAS should update itself in a secure manner. While the update mechanism appears to check the signature of the downloaded update:
Aug 28 09:02:03 HOSTNAME updated.py: [freenasOS.Manifest:448] Verify command = ['/usr/local/libexec/verify_signature', '-K', '/usr/local/share/certs/Production.pem', '-C', '/usr/local/share/certs/iX-CA.pem', '-S', u'DkFKkgqcePwGMZ9JkZxg0bzUCYAvl0aOXjqicTqgVSMbji2q4GGh6UD/NXoMTmOlDxCl66Q6jCY1Sj6calFtExMg2NYR2jWgTRvY7f1qBDsk9oez5IBD6eRiqtqlvJhLylHVRztVIhGMgzg7p9t82wn9yqRBPaNV5gAw19KeHmeJYlI2ISAS/0NDBWtAdo3OeZh2zp0lWwoqXIkhih6GSBZFMc6klcxGUgGFLlbpwtClt7EvlJl3FhIYq5CpuyuLVggL1IgWKN1qv9Xd789VUDMefyQ6CM3zTzsHlpd4ZHzHOzkV9kfHluNNRYIGU96mmBxm2PMNZJoWDaTFoj5fhw==', '-R', '/tmp/tmphy0KCB.pem'] Aug 28 09:02:03 HOSTNAME updated.py: [freenasOS.Manifest:464] Signature check succeeded
using an insecure channel (HTTP) for updates still may leave open the possibility of an attacker to perform a "downgrade" or other attack. Even just the process of checking for updates could put a system at risk, e.g. if FreeNAS doesn't sanitize the data obtained from e.g. <http://update-master.ixsystems.com/FreeNAS/FreeNAS
-9.10-STABLE/ChangeLog.txt>
For more info, see:
https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html
Related issues
Associated revisions
History
#1
Updated by Dru Lavigne almost 2 years ago
Updated by Dru Lavigne - Assignee changed from Release Council to Sean Fagan
#2
Updated by Sean Fagan almost 2 years ago
Updated by Sean Fagan - Status changed from Unscreened to Closed: Not To Be Fixed
#3
Updated by Dru Lavigne almost 2 years ago
- Tracker changed from Bug to Purchase Requests
- Project changed from FreeNAS to SysAdmin
- Category changed from 1 to IT Infrastructure
- Assignee changed from Sean Fagan to David Discher
Reassigning to IT to enable HTTPS on the backend.
#4
Updated by Dru Lavigne almost 2 years ago
- Tracker changed from Purchase Requests to Bug
- Project changed from SysAdmin to FreeNAS
- Category changed from IT Infrastructure to Forums/Websites
- Status changed from Closed: Not To Be Fixed to Unscreened
- Seen in set to 11.0-U2
- Hide from ChangeLog set to No
- ChangeLog Required set to No
- Needs QA set to Yes
- QA Status Not Tested added
#5
Updated by Dru Lavigne over 1 year ago
- Status changed from Unscreened to 46
- Assignee changed from David Discher to Kris Moore
Any ETA from IT when this might happen?
#6
Updated by Kris Moore over 1 year ago
- Status changed from 46 to Screened
I'll work with David to see when we can get https:// across the board enabled.
#8
Updated by Ross Morris over 1 year ago
Updated by Ross Morris Kris Moore wrote:
I'll work with David to see when we can get https:// across the board enabled.
Hi Kris! Would that include www.freenas.org as well or would that be better covered in a new issue? I went to look up something on the website and was quite saddened to see https:// redirect to http:// instead of the other way around
#9
Updated by Kris Moore over 1 year ago
Yea, we'll need a new ticket for Web team to do the https switchover.
#10
Updated by Dru Lavigne over 1 year ago
- Target version set to 11.2-BETA1
#11
Updated by Dru Lavigne over 1 year ago
- Status changed from Screened to Not Started
#12
Updated by Dru Lavigne over 1 year ago
- Status changed from Not Started to In Progress
#14
Updated by Ben Gadd over 1 year ago
- Due date set to 03/09/2018
#15
Updated by Dru Lavigne over 1 year ago
- Status changed from In Progress to Blocked
- Target version changed from 11.2-BETA1 to 11.2-RC2
#16
Updated by Ben Gadd about 1 year ago
- Severity set to New
#18
Updated by Dru Lavigne about 1 year ago
- Assignee changed from Kris Moore to David Discher
- Target version changed from 11.2-RC2 to Backlog
#19
Updated by Dru Lavigne about 1 year ago
- Status changed from Blocked to In Progress
#21
Updated by Dru Lavigne 9 months ago
- Has duplicate Bug #51039: System > Update shows "Update Server" with http URL, not https added
#22
Updated by Warren Block 9 months ago
Updated by Warren Block - Related to Bug #54765: Middleware must use HTTPS for downloads added
#23
Updated by Sean Fagan 8 months ago
I noticed we did have https support for the mirrors, so I made a PR and asked William to review it.
master PR: https://github.com/freenas/freenas-pkgtools/pull/12
followup master PR: https://github.com/freenas/freenas-pkgtools/pull/13
#35
Updated by Dru Lavigne 6 months ago
11.2 PR: https://github.com/freenas/freenas-pkgtools/pull/15
revised master PR: https://github.com/freenas/freenas-pkgtools/pull/16
Updated by Bonnie Follweiler #40
Updated by Jeff Ervin 6 months ago
Updated by Jeff Ervin - File Screen Shot 2019-01-30 at 11.01.45 AM.png Screen Shot 2019-01-30 at 11.01.45 AM.png added
- Status changed from Ready for Testing to Passed Testing
- Needs QA changed from Yes to No
Test Passed FreeNAS-11.2-U2-INTERNAL79
Updates continue to work.
#41
Updated by Timothy Moore II 6 months ago
Updated by Timothy Moore II 
Docs PRs: https://github.com/freenas/freenas-docs/pull/664 [angulargui], https://github.com/freenas/freenas-docs/pull/665 [master]
In order to support https for the update sites, I needed to
switch to a different module/package for handling the downloads.
The requests package is already in the system, and appears to
handle the cases I want.
Ticket: #25705
(cherry picked from commit 8039c24785f8d0abdb384af995321f489b267588)