Bug 1158227 - pcsd should not accept SSLv2 and v3
Summary: pcsd should not accept SSLv2 and v3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: michal novacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-28 21:17 UTC by Cedric Buissart 🐶
Modified: 2015-03-05 09:20 UTC (History)
6 users (show)

Fixed In Version: pcs-0.9.135-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: pcsd accepts SSLv3 and SSLv2 connections. Consequence: pcsd is possibly vulnerable to POODLE attack and other attacks using SSLv2 and SSLv3. Fix: Deny SSLv2 and SSLv3 connections in pcsd. Result: pcsd does not accept SSLv2 nor SSLv3 connections
Clone Of:
Environment:
Last Closed: 2015-03-05 09:20:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0415 normal SHIPPED_LIVE pcs bug fix and enhancement update 2015-03-05 14:16:41 UTC

Description Cedric Buissart 🐶 2014-10-28 21:17:37 UTC
Description of problem:

To prevent POODLE attacks, the pcsd web front-end should deny SSLv2 and SSLv3 connections

Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1. systemctl start pcsd.service
2. use poodle test shell script

Actual results:
# ./poodle.sh localhost 2224
localhost:2224 - Vulnerable!  SSLv3 connection established using SSLv3/DHE-RSA-AES256-SHA


Expected results:
# ~/poodle.sh localhost 2224
localhost:2224 - Not vulnerable.  Failed to establish SSLv3 connection.



Additional info:
Resolved upstream via following commit :
https://github.com/feist/pcs/commit/f30067eea36cb346fb24cdc242a0d4ea18e286df

Comment 2 Tomas Jelinek 2014-10-30 11:26:53 UTC
Before Fix:
[root@rh70-node1 ~]# rpm -q pcs
pcs-0.9.115-32.el7.x86_64
[root@rh70-node1:~]# openssl s_client -connect rh70-node1:2224 -quiet -ssl3
depth=0 C = US, ST = MN, L = Minneapolis, O = pcsd, OU = pcsd, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = MN, L = Minneapolis, O = pcsd, OU = pcsd, CN = localhost
verify return:1
HEAD / HTTP/1.0

HTTP/1.1 303 See Other 
Content-Type: text/html;charset=utf-8
Location: https://rh70-node1:2224/login
Content-Length: 0
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.3.1 (Ruby/2.0.0/2013-11-22) OpenSSL/1.0.1e
Date: Thu, 30 Oct 2014 11:10:11 GMT
Connection: close

[root@rh70-node1:~]# echo $?
0
[root@rh70-node1:~]# openssl s_client -connect rh70-node1:2224 -quiet -ssl2
depth=0 C = US, ST = MN, L = Minneapolis, O = pcsd, OU = pcsd, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = MN, L = Minneapolis, O = pcsd, OU = pcsd, CN = localhost
verify return:1
139701542541216:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:452:
[root@rh70-node1:~]# echo $?
1
[root@rh70-node1:~]# ./poodle.sh localhost 2224
localhost:2224 - Vulnerable!  SSLv3 connection established using SSLv3/DHE-RSA-AES256-SHA



After Fix:
[root@rh70-node1:~]# rpm -q pcs
pcs-0.9.135-1.el7.x86_64
[root@rh70-node1:~]# openssl s_client -connect rh70-node1:2224 -quiet -ssl3
140517466339232:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
140517466339232:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
[root@rh70-node1:~]# echo $?
1
[root@rh70-node1:~]# openssl s_client -connect rh70-node1:2224 -quiet -ssl2
write:errno=104
[root@rh70-node1:~]# echo $?
1
[root@rh70-node1:~]# ./poodle.sh localhost 2224
localhost:2224 - Not vulnerable.  Failed to establish SSLv3 connection.

Comment 5 michal novacek 2015-01-16 13:36:55 UTC
I have verified that pcs gui is not vulnerable to poodle attack anymore in
pcs-0.9.137-11.el7.x86_64

---

[root@duck-01 ~]# openssl s_client -connect duck-01:2224 -quiet -ssl3
140149196085152:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140149196085152:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
[root@duck-01 ~]# echo $?
1
[root@duck-01 ~]# openssl s_client -connect duck-01:2224 -quiet -ssl2
write:errno=104
[root@duck-01 ~]# echo $?
1
[root@duck-01 ~]# ./poodle.sh localhost 2224
not vulnerable

Comment 7 errata-xmlrpc 2015-03-05 09:20:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0415.html


Note You need to log in before you can comment on or make changes to this bug.