ICEpush
  1. ICEpush
  2. PUSH-202

SECURITY: Improper Validation of Host-specific Certificate Data

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: EE-3.2.0.GA, 3.3
    • Component/s: Push Library
    • Labels:
      None
    • Environment:
      Test

      Description

      This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.

      The reported issue was: "Improper Validation of Host-specific Certificate Data"

      The details provided by Veracode were:

      _In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._

      The relevant class is:

      com.icesoft.icepush.C2dmNotificationProvider
          void <clinit>(void)"

      The task is to review the code to see if there is a potential security issue here and, if there is, fix it.

        Issue Links

          Activity

          Migration created issue -
          Ken Fyten made changes -
          Field Original Value New Value
          Summary Placeholder issue Improper Validation of Host-specific Certificate Data
          Ken Fyten made changes -
          Reporter Migration [ remote ] Deryk Sinotte [ deryk.sinotte ]
          Description Placeholder issue I've opened up the following JIRA to review the potential security issue here.
          Ken Fyten made changes -
          Link This issue blocks ICE-8771 [ ICE-8771 ]
          Deryk Sinotte made changes -
          Fix Version/s EE-3.2.0.GA [ 10323 ]
          Affects Version/s 3.2 [ 10340 ]
          Description I've opened up the following JIRA to review the potential security issue here. This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.

          The reported issue was: "Improper Validation of Host-specific Certificate Data"

          The details provided by Veracode were:

          _In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._

          The relevant class is:

          com.icesoft.icepush.C2dmNotificationProvider
              void <clinit>(void)"

          The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
          Component/s Push Library [ 10044 ]
          Ken Fyten made changes -
          Fix Version/s 3.3 [ 10374 ]
          Ken Fyten made changes -
          Summary Improper Validation of Host-specific Certificate Data SECURITY: Improper Validation of Host-specific Certificate Data
          Ken Fyten made changes -
          Assignee Ted Goddard [ ted.goddard ]
          Hide
          Ted Goddard added a comment -

          This is a security issue and should be fixed. Both C2dmNotificationProvider.java and GcmNotificationProvider.java make use of noop TrustManager. This would allow an attacker to spoof DNS (for a google.com domain) and to intercept all Cloud Push notifications sent to Android devices from the application server.

          Show
          Ted Goddard added a comment - This is a security issue and should be fixed. Both C2dmNotificationProvider.java and GcmNotificationProvider.java make use of noop TrustManager. This would allow an attacker to spoof DNS (for a google.com domain) and to intercept all Cloud Push notifications sent to Android devices from the application server.
          Ted Goddard made changes -
          Assignee Ted Goddard [ ted.goddard ] Steve Maryka [ steve.maryka ]
          Hide
          Ted Goddard added a comment -

          Assigning to Steve to consider whether to resolve for 1.2EE or a future release. Although the timing is not ideal, the recommendation would be to resolve this for 1.2 EE.

          Show
          Ted Goddard added a comment - Assigning to Steve to consider whether to resolve for 1.2EE or a future release. Although the timing is not ideal, the recommendation would be to resolve this for 1.2 EE.
          Hide
          Ted Goddard added a comment -

          Potential strategy for implementation:

          android-sdk-macosx/extras/google/gcm/gcm-server/src/com/google/android/gcm/server/Sender.java

          Just use the HttpURLConnection as in the example.

          protected HttpURLConnection post(String url, String contentType, String body)
          throws IOException {
          if (url == null || body == null)

          { throw new IllegalArgumentException("arguments cannot be null"); }

          if (!url.startsWith("https://"))

          { logger.warning("URL does not use https: " + url); }

          logger.fine("Sending POST to " + url);
          logger.finest("POST body: " + body);
          byte[] bytes = body.getBytes();
          HttpURLConnection conn = getConnection(url);
          conn.setDoOutput(true);
          conn.setUseCaches(false);
          conn.setFixedLengthStreamingMode(bytes.length);
          conn.setRequestMethod("POST");
          conn.setRequestProperty("Content-Type", contentType);
          conn.setRequestProperty("Authorization", "key=" + key);
          OutputStream out = conn.getOutputStream();
          out.write(bytes);
          out.close();
          return conn;
          }

          Show
          Ted Goddard added a comment - Potential strategy for implementation: android-sdk-macosx/extras/google/gcm/gcm-server/src/com/google/android/gcm/server/Sender.java Just use the HttpURLConnection as in the example. protected HttpURLConnection post(String url, String contentType, String body) throws IOException { if (url == null || body == null) { throw new IllegalArgumentException("arguments cannot be null"); } if (!url.startsWith("https://")) { logger.warning("URL does not use https: " + url); } logger.fine("Sending POST to " + url); logger.finest("POST body: " + body); byte[] bytes = body.getBytes(); HttpURLConnection conn = getConnection(url); conn.setDoOutput(true); conn.setUseCaches(false); conn.setFixedLengthStreamingMode(bytes.length); conn.setRequestMethod("POST"); conn.setRequestProperty("Content-Type", contentType); conn.setRequestProperty("Authorization", "key=" + key); OutputStream out = conn.getOutputStream(); out.write(bytes); out.close(); return conn; }
          Hide
          Steve Maryka added a comment -

          All SSL related code has been removed from GCM provider. Now using a normal HTTP connection. The C2DM provider has been deleted, as it is no longer supported by google.

          Show
          Steve Maryka added a comment - All SSL related code has been removed from GCM provider. Now using a normal HTTP connection. The C2DM provider has been deleted, as it is no longer supported by google.
          Steve Maryka made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Ken Fyten made changes -
          Security Private [ 10001 ]
          Ken Fyten made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              Steve Maryka
              Reporter:
              Deryk Sinotte
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: