[Caml-list] OCaml vs CVE-2017-9779

[Caml-list] OCaml vs CVE-2017-9779

[Evgeny Roubinchtein]

[-- Attachment #1: Type: text/plain, Size: 1189 bytes --]

Dear OCaml users and developers,

My current employer ships an executable whose source code is written in
OCaml, and is trying to understand the security implications and mitigating
actions (if any) of CVE-2017-9779.   For the purposes of this discussion,
only the native code compiler (ocamlopt) is relevant.

The questions I would hope to get answers to are:

1. Which versions of the OCaml compiler produce executables which are
affected by the vulnerability/ies described in CVE-2017-9779?

2. What mitigation/s (if any) are suggested?

I will point out that my current employer and I are pretty confident that
we understand the issues described by CVE-2017-9772; the assumption we are
operating under is that there is a separate issue/issues that are different
from the issues covered in CVE-2017-9772.

If you would like to continue the discussion off-list, or would like to
encrypt further communication on this subject, or would like to see
non-disclosure agreements  signed in triplicate and delivered by bactrian
camels, please let me know what your requirements are: I will so inform my
employer and we'll try to accommodate.

Thank you in advance!

-- 
Best,
Evgeny ("Zhenya")

[-- Attachment #2: Type: text/html, Size: 1595 bytes --]

Re: [Caml-list] OCaml vs CVE-2017-9779

[Daniel Bünzli]

On 31 January 2018 at 02:43:28, Evgeny Roubinchtein (zhenya1007@gmail.com) wrote:

> 1. Which versions of the OCaml compiler produce executables which are
> affected by the vulnerability/ies described in CVE-2017-9779?

4.04.0 and 4.04.1

> 2. What mitigation/s (if any) are suggested?

Unless you can control the environment an prevent use of CAML_CPLUGINS and CAML_NATIVE_CPLUGINS I'm not sure there's any except avoiding using the compilers above. Note that the escalation affects only setuid binaries.

For reference here's the discussion about the bug:

  https://caml.inria.fr/mantis/view.php?id=7557

the commit that introduced the vulnerability:

  https://github.com/ocaml/ocaml/pull/668/commits/6a83bdd5937522efeeff496349c22bcb2f832866

and the resolution:

  https://github.com/ocaml/ocaml/commit/850021c200c7507f2a928a66fa1291ff4ae3a622
  https://github.com/ocaml/ocaml/pull/1213

Best, 

Daniel

RE: [Caml-list] OCaml vs CVE-2017-9779

[David Allsopp]

Daniel Bünzli wrote:
> On 31 January 2018 at 02:43:28, Evgeny Roubinchtein
> (zhenya1007@gmail.com) wrote:
> 
> > 1. Which versions of the OCaml compiler produce executables which are
> > affected by the vulnerability/ies described in CVE-2017-9779?
> 
> 4.04.0 and 4.04.1
>
> > 2. What mitigation/s (if any) are suggested?
> 
> Unless you can control the environment an prevent use of CAML_CPLUGINS
> and CAML_NATIVE_CPLUGINS I'm not sure there's any except avoiding using
> the compilers above. Note that the escalation affects only setuid
> binaries.
> 
> For reference here's the discussion about the bug:
> 
>   https://caml.inria.fr/mantis/view.php?id=7557
> 
> the commit that introduced the vulnerability:
> 
>   https://github.com/ocaml/ocaml/pull/668/commits/6a83bdd5937522efeeff496349c22bcb2f832866
> 
> and the resolution:
> 
>   https://github.com/ocaml/ocaml/commit/850021c200c7507f2a928a66fa1291ff4ae3a622
>   https://github.com/ocaml/ocaml/pull/1213

The information you've posted here refers to CVE-2017-9772, not CVE-2017-9779. There's a discussion on caml-devel in progress at the moment which should yield a reply to this shortly!


David

RE: [Caml-list] OCaml vs CVE-2017-9779

[David Allsopp]

Evgeny Roubinchtein wrote:
> Dear OCaml users and developers,
> My current employer ships an executable whose source code is written in OCaml,
> and is trying to understand the security implications and mitigating actions
> (if any) of CVE-2017-9779.   For the purposes of this discussion, only the
> native code compiler (ocamlopt) is relevant.
> 
> The questions I would hope to get answers to are:
>
> 1. Which versions of the OCaml compiler produce executables which are affected
> by the vulnerability/ies described in CVE-2017-9779?

All versions prior to 4.04.2 (that's "All" as in "since 1.00", not just "4.04.0 and 4.04.1").

> 2. What mitigation/s (if any) are suggested?

The issue only affects bytecode executables linked in custom runtime mode where there is a limited attack possible on CAML_DEBUG_SOCKET. Since you're using ocamlopt, you're fine.

Note that we updated the manual for 4.05.0 in GPR#1213 (https://github.com/ocaml/ocaml/pull/1213/files#diff-d79da36dce83d24f7fd0cadefe8c97a1R319) to note that custom runtime bytecode executables should never be setuid or setgid.

Sorry for the delay with the reply - it turns out several of us developers involved in the discussion had taken out non-disclosure agreements with our own memories. The CVE was reserved when it was thought that attack allowed arbitrary privilege escalation, but when we determined it wasn't that serious, we released with just CVE-2017-9772 (which affects ocamlc and ocamlopt but in 4.04.0 and 4.04.1 *only*). We've forgotten to update the CVE text itself, which we're now in the process of dealing with.

All best,


David (on behalf of the OCaml devs)