Security vulnerability in Geary: Invalid server certificates accepted silently

Geary is a nice looking mail client for Linux / Gnome users.

We identified a vulnerability in Geary during some recent testing related to Subgraph OS, Mail and Nyms. Thankfully the maintainer responded to our report really quickly and there has already been a patch committed and backported. There are updated tarballs on the Geary homepage and hopefully distro upgrades will be available soon.

Here are the details on CVE-2014-5444:

When Geary connects to any server endpoint over SSL/TLS (IMAPS, SMTPS, IMAP + STARTTLS, SMTP + STARTTLS), it doesn’t act on certificate validation errors, which are detected but ignored. Further, the user is not even made aware when certificate validation fails except when Geary is run with optional debug output via the -d command-line switch.

In all validation failure cases the user credentials are transmitted to the server. This creates an effective attack to harvest user email passwords through active interception.

Geary is fairly identifiable on the wire, meaning that an adversary in a position to perform the attack can do so selectively, reducing the likelihood of detection if another, non-vulnerable mail client is intercepted.

One way to fingerprint Geary is to observe the IMAP IDLE refresh frequency, which occurs every 30 seconds. This is unusually short compared to the maximum IDLE limit of 30 minutes and the default behavior of other clients (Evolution: 10 minutes, Thunderbird: 10 minutes, Claws Mail: 5 minutes).

If exploited, an interception attack would not be perceptible to most users.

Here’s the problematic code, take note of the TODO in engine/api/geary-endpoint.vala:

private bool report_tls_warnings(string cx_type, TlsCertificateFlags warnings) {

// TODO: Report or verify flags with user, but for now merely
log for informational/debugging
// reasons and accede
message("%s TLS warnings connecting to %s: %Xh (%s)", cx_type,
to_string(), warnings, tls_flags_to_string(warnings));

return true;
}

It turns out that this is not an issue unknown to the developers, there is an open ticket that goes as far back as 2012. Our report prompted them to prioritize a fix. Big thank you to Geary developer Jim Nelson for acknowledging that this is a serious vulnerability for Geary users, some of whom are exposed to a high risk of active network interference.

 

Spring update

Vega 1.0

A 1.0 RC build has been available for download for a couple of weeks. We recommend that beta users download the newest version of Vega at:

http://www.subgraph.com/vega_download.php

Note: If you were using the Vega beta, you need to clear your workspace (back it up if necessary) before starting the new version. Once the new version is installed, reset both perspectives to ensure that the UI layout is refreshed.

We’re still working on a few things, so reluctant to call this 1.0 – but it’s close. Try it. Report any bugs. It’s also in Kali Linux.

Documentation has Moved

We’ve moved the documentation and bug reporting over to Github. No more trac.

The Vega Wiki is now here:

https://github.com/subgraph/Vega/wiki

Be sure to check out the user guides:

Bug Reports & Feature Requests via Github Issues

Bug reports and feature requests should also be reported via Github:

https://github.com/subgraph/Vega/issues

Northsec, ConFoo, and the Vega 1.0 release

Subgraph sponsoring Northsec

Subgraph is pleased to announce we are a sponsor of Northsec, a CTF to be held in Montreal April 5-7.

Image

Vega 1.0 Release: March 1, 2013

We will be presenting at ConFoo next week to announce the release of of Vega 1.0. Be sure to catch our presentation on Friday, March 1, at 2:30pm.

vegaLogo_small

Some of the features in the 1.0 release include:

  • Active proxy scanner
  • Greatly improved detections
  • Greatly improved support for authenticated scanning
  • API enhancements
  • HTTP message viewer enhancements

Some of the features in the 1.0 release are summarized (with screenshots) in our Countermeasure 2012 presentation.

The Countermeasure 2012 presentation can be downloaded here.

A more in-depth walk-through can be found in issue #9 of HITB Magazine:

http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf

More soon.

Black Hat Arsenal 2012

Writing this post from a taxi in Montreal on its way to the airport. Hugo and I are headed to Black Hat 2012 / Defcon in Las Vegas. We’ll be demonstrating the pre-release version of Vega at Black Hat Arsenal on the 25 and 26, pod #5 at 3:30pm on both days.

We’ll show some new features and  have freshly cut stickers to give away.

Come say hello!

.

 

 

Vega Module Development: Highlighting in Requests and Responses

We’ve just added a feature that helps users better understand scan results. For each alert, Vega can now more precisely pinpoint to the user where and what exactly it found.

Some background

Vega vulnerability checks are written in Javascript. Anyone can write one. These modules are run both passively and actively as Vega finds content it wants to scan.

Vega modules report findings by generating alerts. In doing so, they save the relevant HTTP request and response objects for review by the user. Within the alert is a link to view these saved HTTP messages in the message viewer (see below).

Request link in a alert

 

For the user

The module developer can now specify an interesting string within the HTTP message. When opened through the link in the alert shown above, the Vega message viewer will scroll to the matching location and highlight the substring, making it immediately apparent to the user what the module found. Screen below:

Module development: response highlighting

 

For the module developer

The API support for this is pretty simple, there are two methods that can be called from the context object:

ctx.addStringHighlight()

ctx.addRegexHighlight()

If you grab the code from our repository, we’ve added this functionality to two modules (vinfo-paths.js and vinfo-feeds.js). These examples show how simple it is:

API support

We’ll be updating all existing and new modules so that they use this feature. We’ll also be adding UI support for viewing multiple matches.

Let us know what you think.

Happy Birthday Vega

Vega Launch at FISL12 – Photo by Christian Guerreiro

One year ago today we launched the Vega beta at FISL 12. A lot has happened in the past year.

  • Vega was included in BackTrack 5R1, the security testing Linux distribution downloaded millions of times.
  • We have received lots of great feedback from our beta users.
  • We fared well (for a beta!) in a rigorous comparison of many commercial and free/open source security tools.
  • We were at OSCON, AppSecUSA, Confoo, and threw the best REcon to date.
  • Vega was the topic of a lengthy article in issue #33 of Insecure Magazine. Some of the new features coming are described there in detail.

We’ve also been busy doing a lot of services: penetration tests, code reviews, reverse engineering. We do this to help fund the development of Vega.

So we’re now excited to announce that we’ve been working on a new release. The release will fix many bugs, and some of the new features include:

Automating Web Application Login

Vega now allows you to store authentication credentials as an ‘identity’ so that Vega can log in automatically during a scan. This includes basic, digest, and NTLM credentials.

For authenticating using forms, it is possible to associate stored login requests seen by the proxy with an identity. Vega can then replay those to log in when starting a scan.

Vega supports creation of ‘identities’ for scanning with authentication.

 

Adding a Login Request to a Macro

In the screenshot below, the user simply logs into the application through the Vega proxy, and then selects the stored login request during the creation of the macro. Binding this to an identity and then using the identity during a scan will let the scanner log itself in automatically prior to starting a scan.

Selecting requests for the macro identity.

 

Message Viewer Improvements

We’ve also cleaned up the message viewer, making the rendering nicer and adding small touches like searching (Ctrl-F) and menu-based copy and paste (right mouse click menu). For the module developer, it will be possible to tell the message viewer what to highlight and where to scroll to when a request is accessed through an alert.

Cleaner rendering in message viewer. Search, copy/paste, module-specified highlighting.

 

Module Refresh

Finally, we are doing a complete module refresh. This means existing modules will be made more reliable and efficient. And we have several new modules under development.

What’s next?

We don’t have a fixed date for the release – but it will be soon. You can always build from source if you want access to some of these features sooner. They’re in the develop branch of our github repository. Contact us if you’d like to help us test new features and we’ll make a special build if you are using Windows or OS X. Talk to us on IRC (freenode) in #subgraph.

Finally

We’ll be presenting Vega at Black Hat Arsenal 2012 in Las Vegas. Be sure to stop by and say hello if you’re going to be there.