Insecure sources retrieval
Closed this issue · 5 comments
Hello,
There is no file integrity check and no HTTPS while downloading these files:
- https://github.com/dougbtv/docker-asterisk/blob/master/asterisk/13/Dockerfile#L11
- https://github.com/dougbtv/docker-asterisk/blob/master/asterisk/13/Dockerfile#L27
An attacker can easily inject malicious code to backdoor the software or take the control of the Docker container.
To solve this issue, hash of downloaded files should be checked or downloaded over HTTPS or both.
About Asterisk binary: I have found https://downloads.asterisk.org/code/browse/asterisk over HTTPS but there is no option to download the repository over HTTPS. Their git clone git://git.asterisk.org/asterisk/asterisk.git is insecure as it use git:// so it provides no authentication / encryption.
Alright, I have checks in which look at the md5 signatures, however both are over HTTP. Which is what I have within my locus of control. The gist is that I look at the md5 signatures, and if they mismatch it the commands exit non-zero which will stop the docker build, which should be a hint.
Thanks for the details, and the mind towards security when looking at this, I appreciate it.
I realize that HTTPS would be more ideal, however, there are not official releases for these products over HTTPS (that I can find.) -- I would gladly appreciate if you could open issues with the providers of these software packages to address this, and I will happily integrate.
Specifically I want this project to use the certified asterisk branches (11 & 13 for now, the LTS releases), as that is the product that Digium officially supports (e.g. if you were to buy support or get consulting from Digium, the first thing they will have you do is update to the latest certified). If I have missed a method of downloading these tarballs, let me know and I will update them.
I think I have a path forward @pwnsdx -- looks like there's a way to git clone the source over https!
Discovered from: https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage
In short, I can do something along the lines of:
git clone --depth 1 https://gerrit.asterisk.org/asterisk
I just need a way to figure out which branch to use... On my scratch pad I have...
git ls-remote --heads https://gerrit.asterisk.org/asterisk
git ls-remote --heads https://gerrit.asterisk.org/asterisk | grep -i "certified/11.6"
git clone -b certified/11.6 --depth 1 https://gerrit.asterisk.org/asterisk
Pretty sure this is going to be the ticket.
Any commentary herein? Happy to discuss for sure, this has been on my mind (but I've been on vacation, so it hasn't been on my mind too much, tbh!)
Just an update here that this is still on my "notepad" if-you-will, haven't implemented it yet, but, before I do if you have any commentary, I'm more than willing to listen for advice. Thanks, -Doug
Hey, this sounds to be the best way to get the sources! :)
S.