[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Broken mutual tls authentication on bluemix
From: Oscar Martinez <oscarmrdc () gmail ! com>
Date: 2017-07-28 7:07:57
Message-ID: CAJrZ1ofgxH_XphinBczDX4TvhJXgb7i9MAOq-y7e=0WFFZ91UQ () mail ! gmail ! com
[Download RAW message or body]
# Date : 07/28/2017
# Author : Oscar Martinez
# Vendor : IBM
# Software : bluemix https://www.ibm.com/cloud-computing/bluemix/
# Vulnerability Description:
You can use routes in your container group to access your server.
If you want to protect it, you can use mutual tls authentication (
https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/
)
So, if you want to connect to your bluemix application (container group
with route https://<yourdomain>/), you should send your client certificate.
BUT, any user CAN acces it without the client certificate.
1.Use
https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/
to have mutual tls authentication
https://<yourdomain> is configurated with custom domain in Bluemix (Bluemix
Dashboard > Manage Organizations > Domains > Add Domain) to force mutual
tls authentication and route with the custom domain to your application (Go
to the Application Overview page > Edit Routes and App Access).
2. Normal behaviour: User should send the client certificate
openssl s_client -connect <yourdomain>:443 -servername <yourdomain>
3. Abnormal behaviour: User DON'T need to send the client certificate
openssl s_client -connect <yourdomain>:443
GET / HTTP/1.0
It is because the bluemix server (that does the routing) have 2
certificates.
1. CN=*.mybluemix.net (this route doesn't appear at the gui - containers
group routing) and doesn't force the use of the client certificate.
2. the custom uploaded certificate, CN=<yourdomain>
Time Line
---------
* 06/21/2017: First contact with vendor (
https://www.ibm.com/scripts/contact/contact/us/en/security_vulnerabilities/)
* 06/22/2017: IBM PSIRT assigned PSIRT Advisory <8944>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic