Vega SSL/TLS Configuration Probes: Detecting POODLE and Other Issues

We recently added a feature in Vega: probing HTTPS server configuration settings for issues that have implications for user and application security.

Vega now attempts to detect and will alert on the following issues:

  • SSLv2, SSLv3 (POODLE) support
  • Certificate analysis: SHA-1, MD5, key size
  • Server/client ciphersuite preference
  • Forward secrecy support and prioritization
  • RC4
  • Cipher suite enumeration
  • Identiifcation of weak / export grade cipher suites, anonymous Diffie-Hellman
  • TLS compression (susceptibility to CRIME attacks)

The probes occur before the crawler is started and will run for every HTTPS server target. Full details on the HTTPS audit will be output to the console after the probes have finished running.

This is still a work in progress, so consider it a beta release. The Vega HTTPS server configuration probing will be more comprehensive, reliable, and configurable in the future.

Download a new build from our website to try it out.

Vega-HTTPS-Config-Probes Vega-HTTPS-Config-Probes-Details

Subgraph Vega module for Bash Environment Variable OS Command Injection Vulnerability (CVE-2014-6271)

Today, a critical and trivially remotely exploitable vulnerability was announced in bash. To help users of our Vega web application scanner to identify this vulnerability, we have a released a basic standalone module to detect this vulnerability in web applications.

The module works by injecting test cases into certain HTTP header values as well as any web application form/query parameters. This should be adequate to detect this vulnerability in CGI setups where HTTP header values are turned into bash environment variables while also detecting cases where user-supplied input is passed through functions that spawn subshells such as system(), exec(), popen() in various languages. We will refine the module as more information becomes available and we are able to test it more.

This module is a good example of the power of Vega to quickly create proofs-of-concept in Javascript using the module API.

The module can be obtained here. It can be installed simply by adding it to the ‘vega/scripts/scanner/modules/injection/’ directory.

If you are not a Vega user, you can download it here or build it from source. We will soon bundle this module into our release tarball.

Due to the seriousness of this vulnerability, we also strongly advise everybody to install patches immediately.

Security vulnerability in Geary: Invalid server certificates accepted silently

Geary is a nice looking mail client for Linux / Gnome users.

We identified a vulnerability in Geary during some recent testing related to Subgraph OS, Mail and Nyms. Thankfully the maintainer responded to our report really quickly and there has already been a patch committed and backported. There are updated tarballs on the Geary homepage and hopefully distro upgrades will be available soon.

Here are the details on CVE-2014-5444:

When Geary connects to any server endpoint over SSL/TLS (IMAPS, SMTPS, IMAP + STARTTLS, SMTP + STARTTLS), it doesn’t act on certificate validation errors, which are detected but ignored. Further, the user is not even made aware when certificate validation fails except when Geary is run with optional debug output via the -d command-line switch.

In all validation failure cases the user credentials are transmitted to the server. This creates an effective attack to harvest user email passwords through active interception.

Geary is fairly identifiable on the wire, meaning that an adversary in a position to perform the attack can do so selectively, reducing the likelihood of detection if another, non-vulnerable mail client is intercepted.

One way to fingerprint Geary is to observe the IMAP IDLE refresh frequency, which occurs every 30 seconds. This is unusually short compared to the maximum IDLE limit of 30 minutes and the default behavior of other clients (Evolution: 10 minutes, Thunderbird: 10 minutes, Claws Mail: 5 minutes).

If exploited, an interception attack would not be perceptible to most users.

Here’s the problematic code, take note of the TODO in engine/api/geary-endpoint.vala:

private bool report_tls_warnings(string cx_type, TlsCertificateFlags warnings) {

// TODO: Report or verify flags with user, but for now merely
log for informational/debugging
// reasons and accede
message("%s TLS warnings connecting to %s: %Xh (%s)", cx_type,
to_string(), warnings, tls_flags_to_string(warnings));

return true;
}

It turns out that this is not an issue unknown to the developers, there is an open ticket that goes as far back as 2012. Our report prompted them to prioritize a fix. Big thank you to Geary developer Jim Nelson for acknowledging that this is a serious vulnerability for Geary users, some of whom are exposed to a high risk of active network interference.

 

Spring update

Vega 1.0

A 1.0 RC build has been available for download for a couple of weeks. We recommend that beta users download the newest version of Vega at:

http://www.subgraph.com/vega_download.php

Note: If you were using the Vega beta, you need to clear your workspace (back it up if necessary) before starting the new version. Once the new version is installed, reset both perspectives to ensure that the UI layout is refreshed.

We’re still working on a few things, so reluctant to call this 1.0 – but it’s close. Try it. Report any bugs. It’s also in Kali Linux.

Documentation has Moved

We’ve moved the documentation and bug reporting over to Github. No more trac.

The Vega Wiki is now here:

https://github.com/subgraph/Vega/wiki

Be sure to check out the user guides:

Bug Reports & Feature Requests via Github Issues

Bug reports and feature requests should also be reported via Github:

https://github.com/subgraph/Vega/issues

Northsec, ConFoo, and the Vega 1.0 release

Subgraph sponsoring Northsec

Subgraph is pleased to announce we are a sponsor of Northsec, a CTF to be held in Montreal April 5-7.

Image

Vega 1.0 Release: March 1, 2013

We will be presenting at ConFoo next week to announce the release of of Vega 1.0. Be sure to catch our presentation on Friday, March 1, at 2:30pm.

vegaLogo_small

Some of the features in the 1.0 release include:

  • Active proxy scanner
  • Greatly improved detections
  • Greatly improved support for authenticated scanning
  • API enhancements
  • HTTP message viewer enhancements

Some of the features in the 1.0 release are summarized (with screenshots) in our Countermeasure 2012 presentation.

The Countermeasure 2012 presentation can be downloaded here.

A more in-depth walk-through can be found in issue #9 of HITB Magazine:

http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf

More soon.