New Topic
BILLmanagerTopicProblemDocumentation
Properties
Category Documentation
Tags security, cdn

Insecure installation of BILLmanager, susceptible to MITM attacks and SSL misconfiguration for CDN

Roman Ananev shared this problem 6 months ago
Solved

Hello,

The BILLmanager installation documentation page https://docs.ispsystem.com/billmanager/installation-and-updates/installation-process for EN and https://docs.ispsystem.ru/billmanager/ustanovka-i-obnovlenie/protsess-ustanovki for RU provides insecure link to download installation script via http (without SSL, check 1st screeensot), which allows to perform a MITM attacks.

And if try to "cheat" and substitute "S" to the URL (2nd screensot), we can see that here you trying to using a certificate from domain "download.ispsystem.com", so that tell us that here is no SSL certificate.

Files: isp_billmanager... isp_billmanager...
1 The same problem

Comments (2)

photo
1
Roman Ananev 6 months ago 

➜  ~ curl 'https://cdn.ispsystem.com/install.sh' -v
*   Trying 185.146.158.10:443...
* Connected to cdn.ispsystem.com (185.146.158.10) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=download.ispsystem.com
*  start date: Feb 22 15:38:33 2022 GMT
*  expire date: May 23 15:38:32 2022 GMT
*  subjectAltName does not match cdn.ispsystem.com
* SSL: no alternative certificate subject name matches target host name 'cdn.ispsystem.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'cdn.ispsystem.com'

Reply
photo
1
Yurkina Ekaterina 6 months ago

Добрый день!


Мы создали обращение в вашем личном кабинете, вы можете увидеть его в разделе "техническая поддержка".

Reply
Leave a Comment
 
Attach a file