Before: Arbitrator EvaStöwe (A), Respondent: CAcert (R), Claimant: Benny B as Software Assessor (C), Case: a20141118.1

History Log

Private Part

EOT Private Part

original Dispute

> Dear arbitration,
> 
> in the course of handling a support case on the public mailing
> list[1][2] a source review has been triggered. In the course of
> reviewing the source several more or less critical issues have been
> found. Where every one of those issues did not pose a high risk on
> their own; It was the combination of all the issues that led to the
> decision to remove the affected feature from the software completely
> as discussed in [3].
> 
> In order to check the feasibility of one particular issue of the set a
> notice was sent to [a member] to implement a PoC on the test system
> environment and prepare precautions in Gigi & Cassiopeia to mitigate
> similar issues should they be applicable. Commits (especially to Gigi)
> containing changes that might potentially disclose the nature of the
> issues being fixed by 1339 were to be kept under embargo until they
> are fixed on the production system.
> 
> A limited number of selected people besides me had prior knowledge of
> the issue
> 
> I therefore seek an investigation of this issue to answer the
> following questions:
> 
> 1. How many users are affected by the removal of the feature?
> 
> 2. Should a mailing be sent (affected users, other group?) to notify
> on this issue? What content should it include?
> 
> 3. Discuss the contents of a public announcement on the blog.
> 
> 4. Discuss how this issue might have been used and symptoms that
> indicate it being used?
> 
> 5. Discuss parts of our policy regarding the precautions to avoid
> future incidents of this kind? Especially are there requirements in
> place to require a certain strength for the authentication?
> 
> 6. Discuss further investigative steps to take for analysis of this
> problem.
> 
> 7. Discuss possibly related issues related to the one found.
> 
> 8. Discuss follow-up actions as necessary for audit.
> 
> 9. Investigate further aspects related to the issue at hand.
> 
> More details will follow in encrypted form once an arbitration number
> has been allocated.

Discovery

about bugs 1339, 1341

relevant dates

queries and scripts

1st query: number of affected users

SELECT COUNT(*) FROM users WHERE otphash != '';

2nd query: provides needed data to infrom affected members via mail

This query is not executed. It currently does not have another review and there also needs to be a mail-text created.

queries executed by critical team on logfiles

Based on the pattern we have noticed on the test server to provoke the bug #1339 issue, we have concluded that webserver accesses starting with "/index.php?id=4" are possibly suspect, in particular when issued repeatedly in a very short time. Based on that assumption we have analyzed the web server access logs with the following simple script:

The results of this reveal that in a few specific weeks, *much* more queries matching the pattern were issued than in the "average" week. This concerns occurences in four different weeks (the logfile is rotated once per week), ending on these dates: 20140112, 20140810, 20140817 ad 20141019. Note that the bug was patched on 20141018.

The results of running that script reveal that indeed a specific host can be linked to each occurrence, with the matches for 20140810 and 20140817 coming from a pool of hosts with similar addresses.

3rd script: analyse bin-log

[Will be added after analysis/reviews/discussion]

Ruling

Execution

Similiar Cases

to be done


Arbitrations/a20141118.1 (last edited 2015-03-23 21:24:50 by EvaStöwe)