[PUSH-202] SECURITY: Improper Validation of Host-specific Certificate Data - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.2
Fix Version/s: EE-3.2.0.GA, 3.3
Component/s: Push Library
Labels:
None
Environment:
Test

Description

This is a specific case opened up as part of a detailed analysis (~~ICE-8771~~) of a Veracode security report submitted by a customer.

The reported issue was: "Improper Validation of Host-specific Certificate Data"

The details provided by Veracode were:

_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._

The relevant class is:

com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"

The task is to review the code to see if there is a potential security issue here and, if there is, fix it.

Issue Links

blocks

ICE-8771 SECURITY: Potential security improvements related to findings from Veracode security scan

Closed

Activity

Ascending order - Click to sort in descending order

Migration created issue - 30/Nov/12 2:07 AM

Ken Fyten made changes - 03/Dec/12 5:37 PM

Field	Original Value	New Value
Summary	Placeholder issue	Improper Validation of Host-specific Certificate Data

Ken Fyten made changes - 03/Dec/12 5:38 PM

Reporter	Migration [ remote ]	Deryk Sinotte [ deryk.sinotte ]
Description	Placeholder issue	I've opened up the following JIRA to review the potential security issue here.

Ken Fyten made changes - 03/Dec/12 5:38 PM

Link

This issue blocks ~~ICE-8771~~ [ ~~ICE-8771~~ ]

Deryk Sinotte made changes - 03/Dec/12 9:14 PM

Fix Version/s		EE-3.2.0.GA [ 10323 ]
Affects Version/s		3.2 [ 10340 ]
Description	I've opened up the following JIRA to review the potential security issue here.	This is a specific case opened up as part of a detailed analysis (~~ICE-8771~~) of a Veracode security report submitted by a customer. The reported issue was: "Improper Validation of Host-specific Certificate Data" The details provided by Veracode were: _In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._ The relevant class is: com.icesoft.icepush.C2dmNotificationProvider void <clinit>(void)" The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
Component/s		Push Library [ 10044 ]

Ken Fyten made changes - 04/Dec/12 4:27 PM

Fix Version/s

3.3 [ 10374 ]

Ken Fyten made changes - 13/Dec/12 7:05 PM

Summary

Improper Validation of Host-specific Certificate Data

SECURITY: Improper Validation of Host-specific Certificate Data

Ken Fyten made changes - 13/Dec/12 7:05 PM

Assignee

Ted Goddard [ ted.goddard ]

Hide

Permalink

Ted Goddard added a comment - 21/Dec/12 11:41 PM

This is a security issue and should be fixed. Both C2dmNotificationProvider.java and GcmNotificationProvider.java make use of noop TrustManager. This would allow an attacker to spoof DNS (for a google.com domain) and to intercept all Cloud Push notifications sent to Android devices from the application server.

Show

Ted Goddard added a comment - 21/Dec/12 11:41 PM This is a security issue and should be fixed. Both C2dmNotificationProvider.java and GcmNotificationProvider.java make use of noop TrustManager. This would allow an attacker to spoof DNS (for a google.com domain) and to intercept all Cloud Push notifications sent to Android devices from the application server.

Ted Goddard made changes - 21/Dec/12 11:42 PM

Assignee

Ted Goddard [ ted.goddard ]

Steve Maryka [ steve.maryka ]

Hide

Permalink

Ted Goddard added a comment - 21/Dec/12 11:43 PM

Assigning to Steve to consider whether to resolve for 1.2EE or a future release. Although the timing is not ideal, the recommendation would be to resolve this for 1.2 EE.

Show

Ted Goddard added a comment - 21/Dec/12 11:43 PM Assigning to Steve to consider whether to resolve for 1.2EE or a future release. Although the timing is not ideal, the recommendation would be to resolve this for 1.2 EE.

Hide

Permalink

Ted Goddard added a comment - 14/Jan/13 9:31 PM

Potential strategy for implementation:

android-sdk-macosx/extras/google/gcm/gcm-server/src/com/google/android/gcm/server/Sender.java

Just use the HttpURLConnection as in the example.

protected HttpURLConnection post(String url, String contentType, String body)
throws IOException {
if (url == null || body == null)

{ throw new IllegalArgumentException("arguments cannot be null"); }

if (!url.startsWith("https://"))

{ logger.warning("URL does not use https: " + url); }

logger.fine("Sending POST to " + url);
logger.finest("POST body: " + body);
byte[] bytes = body.getBytes();
HttpURLConnection conn = getConnection(url);
conn.setDoOutput(true);
conn.setUseCaches(false);
conn.setFixedLengthStreamingMode(bytes.length);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", contentType);
conn.setRequestProperty("Authorization", "key=" + key);
OutputStream out = conn.getOutputStream();
out.write(bytes);
out.close();
return conn;
}

Show

Ted Goddard added a comment - 14/Jan/13 9:31 PM Potential strategy for implementation: android-sdk-macosx/extras/google/gcm/gcm-server/src/com/google/android/gcm/server/Sender.java Just use the HttpURLConnection as in the example. protected HttpURLConnection post(String url, String contentType, String body) throws IOException { if (url == null || body == null) { throw new IllegalArgumentException("arguments cannot be null"); } if (!url.startsWith("https://")) { logger.warning("URL does not use https: " + url); } logger.fine("Sending POST to " + url); logger.finest("POST body: " + body); byte[] bytes = body.getBytes(); HttpURLConnection conn = getConnection(url); conn.setDoOutput(true); conn.setUseCaches(false); conn.setFixedLengthStreamingMode(bytes.length); conn.setRequestMethod("POST"); conn.setRequestProperty("Content-Type", contentType); conn.setRequestProperty("Authorization", "key=" + key); OutputStream out = conn.getOutputStream(); out.write(bytes); out.close(); return conn; }

Hide

Permalink

Steve Maryka added a comment - 15/Jan/13 7:04 PM

All SSL related code has been removed from GCM provider. Now using a normal HTTP connection. The C2DM provider has been deleted, as it is no longer supported by google.

Show

Steve Maryka added a comment - 15/Jan/13 7:04 PM All SSL related code has been removed from GCM provider. Now using a normal HTTP connection. The C2DM provider has been deleted, as it is no longer supported by google.

Steve Maryka made changes - 15/Jan/13 7:04 PM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Ken Fyten made changes - 08/Feb/13 4:23 PM

Security

Private [ 10001 ]

Ken Fyten made changes - 17/Nov/14 11:17 AM

Status

Resolved [ 5 ]

Closed [ 6 ]

People

Assignee:

Steve Maryka

Reporter:

Deryk Sinotte

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

30/Nov/12 2:07 AM

Updated:

17/Nov/14 11:17 AM

Resolved:

15/Jan/13 7:04 PM