From 2b5d4b88b49a14102efa02d1d328075ca4d1627c Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Wed, 27 Apr 2022 19:02:43 +0200 Subject: [PATCH 1/4] ecdsautils: verify: fix signature verification (CVE-2022-24884) A vulnerability was found in ecdsautils which allows forgery of ECDSA signatures. An adversary exploiting this vulnerability can create an update manifest accepted by the autoupdater, which can be used to distribute malicious firmware updates by spoofing a Gluon node's connection to the update server. --- ...ignature-verification-CVE-2022-24884.patch | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch diff --git a/patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch b/patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch new file mode 100644 index 0000000000..11cc1bbc7f --- /dev/null +++ b/patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch @@ -0,0 +1,73 @@ +From: Matthias Schiffer +Date: Wed, 27 Apr 2022 19:01:39 +0200 +Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884) + +Signed-off-by: Matthias Schiffer + +diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile +index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644 +--- a/utils/ecdsautils/Makefile ++++ b/utils/ecdsautils/Makefile +@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk + + PKG_NAME:=ecdsautils + PKG_VERSION:=0.3.2.20160630 +-PKG_RELEASE:=1 ++PKG_RELEASE:=2 + PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46 + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba +--- /dev/null ++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch +@@ -0,0 +1,48 @@ ++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001 ++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net> ++From: Matthias Schiffer ++Date: Wed, 20 Apr 2022 22:04:07 +0200 ++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884) ++ ++Verify that r and s are non-zero. Without these checks, an all-zero ++signature is always considered valid. ++ ++While it would be nicer to error out in ecdsa_verify_prepare_legacy() ++already, that would require users of libecdsautil to check a return value ++of the prepare step. To be safe, implement the fix in an API/ABI-compatible ++way that doesn't need changes to the users. ++--- ++ src/lib/ecdsa.c | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c ++index 8cd7722be8cd..a661b56bd7c8 100644 ++--- a/src/lib/ecdsa.c +++++ b/src/lib/ecdsa.c ++@@ -135,6 +135,12 @@ regenerate: ++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) { ++ ecc_int256_t w, u1, tmp; ++ +++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) { +++ // Signature is invalid, mark by setting ctx->r to an invalid value +++ memset(&ctx->r, 0, sizeof(ctx->r)); +++ return; +++ } +++ ++ ctx->r = signature->r; ++ ++ ecc_25519_gf_recip(&w, &signature->s); ++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work ++ ecc_25519_work_t s2, work; ++ ecc_int256_t w, tmp; ++ +++ // Signature was detected as invalid in prepare step +++ if (ecc_25519_gf_is_zero(&ctx->r)) +++ return false; +++ ++ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey); ++ ecc_25519_add(&work, &ctx->s1, &s2); ++ ecc_25519_store_xy_legacy(&w, NULL, &work); ++-- ++2.36.0 ++ From 7332d33775aaeec410a4c4b65b3ee1833ce32410 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Wed, 4 May 2022 20:01:53 +0200 Subject: [PATCH 2/4] docs: releases/v2021.1.2: describe autoupdater security issue --- docs/releases/v2021.1.2.rst | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/releases/v2021.1.2.rst b/docs/releases/v2021.1.2.rst index 01122fa7c0..67bd99e162 100644 --- a/docs/releases/v2021.1.2.rst +++ b/docs/releases/v2021.1.2.rst @@ -4,6 +4,9 @@ Gluon 2021.1.2 (unreleased) Important notes --------------- +This release fixes a **critical security vulnerability** in Gluon's +autoupdater. + Upgrades to v2021.1 and later releases are only supported from releases v2018.2 and later. Migration code for upgrades from older versions has been removed to simplify maintenance. @@ -23,11 +26,30 @@ log. Bugfixes -------- -* **[SECURITY]** This release will fix a critical security vulnerability +* **[SECURITY]** Autoupdater: Fix signature verification + + A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package + allows forgery of cryptographic signatures. This vulnerability can be + exploited to create a manifest accepted by the autoupdater without knowledge + of the signers' private keys. By intercepting nodes' connections to the update + server, such a manifest allows to distribute malicious firmware updates. + + This is a **critical** vulnerability. All nodes with autoupdater must be + updated. Requiring multiple signatures for an update does *not* mitigate the + issue. + + As a temporary workaround, the issue can be mitigated on individual nodes by + disabling the autoupdater via config mode or using the following commands:: + + uci set autoupdater.settings.enabled=0 + uci commit autoupdater + + A fixed firmware should be installed manually before enabling the autoupdater + again. - This bugfix has not been pushed to the public Gluon repository yet to avoid - disclosing information on the issue. A detailed advisory will be published at - the same time as the Gluon release. + See security advisory `GHSA-qhcg-9ffp-78pw + `_ + for further information on this vulnerability. * **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF) From 6ccad98fc0199a9477aaa3547c60189ef4396c03 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Wed, 4 May 2022 20:08:04 +0200 Subject: [PATCH 3/4] Update copyright years --- LICENSE | 2 +- docs/conf.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index d6f40ac882..e134aa41a3 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,7 @@ The code of Project Gluon may be distributed under the following terms, unless noted otherwise in individual files or subtrees. -Copyright (c) 2013-2021, Project Gluon +Copyright (c) 2013-2022, Project Gluon All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/docs/conf.py b/docs/conf.py index 82c556c996..75db04d725 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -20,7 +20,7 @@ # -- Project information ----------------------------------------------------- project = 'Gluon' -copyright = '2015-2021, Project Gluon' +copyright = '2015-2022, Project Gluon' author = 'Project Gluon' # The short X.Y version From dcfa4522b3fc22f8a41f1e7372ca8000917f61d4 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Wed, 4 May 2022 20:08:17 +0200 Subject: [PATCH 4/4] Gluon v2021.1.2 --- README.md | 2 +- docs/conf.py | 2 +- docs/releases/v2021.1.2.rst | 4 ++-- docs/site-example/site.conf | 2 +- docs/user/getting_started.rst | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6ea7f98f04..188b9f466c 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ the future development of Gluon. Please refrain from using the `master` branch for anything else but development purposes! Use the most recent release instead. You can list all releases by running `git tag` -and switch to one by running `git checkout v2021.1.1 && make update`. +and switch to one by running `git checkout v2021.1.2 && make update`. If you're using the autoupdater, do not autoupdate nodes with anything but releases. If you upgrade using random master commits the nodes *will break* eventually. diff --git a/docs/conf.py b/docs/conf.py index 75db04d725..6ea46f2e7f 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -24,7 +24,7 @@ author = 'Project Gluon' # The short X.Y version -version = '2021.1.1' +version = '2021.1.2' # The full version, including alpha/beta/rc tags release = version diff --git a/docs/releases/v2021.1.2.rst b/docs/releases/v2021.1.2.rst index 67bd99e162..70667555fc 100644 --- a/docs/releases/v2021.1.2.rst +++ b/docs/releases/v2021.1.2.rst @@ -1,5 +1,5 @@ -Gluon 2021.1.2 (unreleased) -=========================== +Gluon 2021.1.2 +============== Important notes --------------- diff --git a/docs/site-example/site.conf b/docs/site-example/site.conf index 0332a8d969..0f4089d416 100644 --- a/docs/site-example/site.conf +++ b/docs/site-example/site.conf @@ -1,4 +1,4 @@ --- This is an example site configuration for Gluon v2021.1.1 +-- This is an example site configuration for Gluon v2021.1.2 -- -- Take a look at the documentation located at -- https://gluon.readthedocs.io/ for details. diff --git a/docs/user/getting_started.rst b/docs/user/getting_started.rst index 7fb7b37efe..323eef616c 100644 --- a/docs/user/getting_started.rst +++ b/docs/user/getting_started.rst @@ -8,7 +8,7 @@ Gluon's releases are managed using `Git tags`_. If you are just getting started with Gluon we recommend to use the latest stable release of Gluon. Take a look at the `list of gluon releases`_ and notice the latest release, -e.g. *v2021.1.1*. Always get Gluon using git and don't try to download it +e.g. *v2021.1.2*. Always get Gluon using git and don't try to download it as a Zip archive as the archive will be missing version information. Please keep in mind that there is no "default Gluon" build; a site configuration @@ -50,7 +50,7 @@ Building the images ------------------- To build Gluon, first check out the repository. Replace *RELEASE* with the -version you'd like to checkout, e.g. *v2021.1.1*. +version you'd like to checkout, e.g. *v2021.1.2*. ::