From 73f7e670930ff2dc57ce2886e7cbb03f113a67b7 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Fri, 8 Sep 2023 17:34:56 +0200 Subject: [PATCH] add CVE-2023-36811 related upgrade notes --- docs/changes.rst | 77 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/docs/changes.rst b/docs/changes.rst index e29445fa..33007829 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -5,6 +5,83 @@ Important notes This section provides information about security and corruption issues. +.. _archives_tam_vuln: + +Pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811) +---------------------------------------------------------- +Note: the security fix released with borg 1.2.5/1.2.6 was backported to +1.1-maint branch. Below is a copy of the related upgrade notes from 1.2.6, +they also apply here: + +A flaw in the cryptographic authentication scheme in Borg allowed an attacker to +fake archives and potentially indirectly cause backup data loss in the repository. + +The attack requires an attacker to be able to + +1. insert files (with no additional headers) into backups +2. gain write access to the repository + +This vulnerability does not disclose plaintext to the attacker, nor does it +affect the authenticity of existing archives. + +Creating plausible fake archives may be feasible for empty or small archives, +but is unlikely for large archives. + +The fix enforces checking the TAM authentication tag of archives at critical +places. Borg now considers archives without TAM as garbage or an attack. + +We are not aware of others having discovered, disclosed or exploited this vulnerability. + +Below, if we speak of borg 1.2.6, we mean a borg version >= 1.2.6 **or** a +borg version that has the relevant security patches for this vulnerability applied +(could be also an older version in that case). + +Steps you must take to upgrade a repository: + +1. Upgrade all clients using this repository to borg 1.2.6. + Note: it is not required to upgrade a server, except if the server-side borg + is also used as a client (and not just for "borg serve"). + + Do **not** run ``borg check`` with borg > 1.2.4 before completing the upgrade steps. + +2. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg info --debug 2>&1 | grep TAM | grep -i manifest``. + + a) If you get "TAM-verified manifest", continue with 3. + b) If you get "Manifest TAM not found and not required", run + ``borg upgrade --tam --force `` *on every client*. + +3. Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg list --format='{name} {time} tam:{tam}{NL}' ``. + "tam:verified" means that the archive has a valid TAM authentication. + "tam:none" is expected as output for archives created by borg <1.0.9. + "tam:none" is also expected for archives resulting from a borg rename + or borg recreate operation (see #7791). + "tam:none" could also come from archives created by an attacker. + You should verify that "tam:none" archives are authentic and not malicious + (== have good content, have correct timestamp, can be extracted successfully). + In case you find crappy/malicious archives, you must delete them before proceeding. + In low-risk, trusted environments, you may decide on your own risk to skip step 3 + and just trust in everything being OK. + +4. If there are no tam:none archives left at this point, you can skip this step. + Run ``BORG_WORKAROUNDS=ignore_invalid_archive_tam borg upgrade --archives-tam ``. + This will unconditionally add a correct archive TAM to all archives not having one. + ``borg check`` would consider TAM-less or invalid-TAM archives as garbage or a potential attack. + To see that all archives now are "tam:verified" run: ``borg list --format='{name} {time} tam:{tam}{NL}' `` + +5. Please note that you should never use BORG_WORKAROUNDS=ignore_invalid_archive_tam + for normal production operations - it is only needed once to get the archives in a + repository into a good state. All archives have a valid TAM now. + +Vulnerability time line: + +* 2023-06-13: Vulnerability discovered during code review by Thomas Waldmann +* 2023-06-13...: Work on fixing the issue, upgrade procedure, docs. +* 2023-06-30: CVE was assigned via Github CNA +* 2023-06-30 .. 2023-08-29: Fixed issue, code review, docs, testing. +* 2023-08-30: Released fixed version 1.2.5 (broken upgrade procedure for some repos) +* 2023-08-31: Released fixed version 1.2.6 (fixes upgrade procedure) +* 2023-09-08: Backported fixes / docs to 1.1-maint branch. + .. _hashindex_set_bug: Pre-1.1.11 potential index corruption / data loss issue