-
Notifications
You must be signed in to change notification settings - Fork 714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClamAV is unusable on FIPS-enabled Linux systems due to MD5 use #564
Comments
@qralston thanks for bringing up the issue again here since you're right it still is a concern, and for linking with the old bugzilla issue. We haven't made progress on the switch from MD5 to SHA256 for scan verdict caching but it is an issue in our Jira that was prioritized for investigation for our next release. I believe the plan is for MD5 to continue to be supported for signatures for compatibility with existing MD5 signatures. I'll talk with the team about either replacing as many MD5 signatures with SHA256 signatures as possible and dropping the rest, or else consider having the clamav build detect fips-mode and use conditional compilation to remove MD5 support for fips-mode builds. |
Having the same issue. When I disable FIPS ClamAV will start. uname -a rpm -qa|grep clam from /var/log/messages: |
@micahsnyder another possibility would be to add one of the available public domain implementations of MD5 (e.g. Solar Designer’s implementation) to ClamAV and call it instead of the OpenSSL implementation if the system is running in FIPS mode. The problem isn’t using MD5 per se; the problem is asking OpenSSL to perform MD5 when the system is in FIPS mode. ClamAV doesn’t use MD5 in a cryptographic context, but OpenSSL has no way to know that: it must deny all uses of MD5 if the system is in FIPS mode, in order to guarantee that no caller is using MD5 in a cryptographic context. |
@micahsnyder: It appears to me that you may be misunderstanding the issue here, possibly due to conflicting uses of the term "signature". Please correct me if I'm wrong, but it sounds like you are using the word "signature" to refer to checksums that are used to compare scanned files against a list of known safe/malicious files. FIPS does NOT prohibit the use of MD5 hashes for that purpose. Those "signatures" do NOT need to be replaced in order to resolve this issue. I'm not confident that I have a full picture of how the scan verdict caching works and is used, however at first glance it looks to me like MD5 should be OK here too. I do NOT think these checksums need to be replaced in order to resolve this issue either. The real problem is the MD5 checksum and the associated RSA digital signature that are used to verify the integrity and publishing source of the CVD file itself: https://github.com/Cisco-Talos/clamav/blob/main/libclamav/cvd.c#L571 Both because of the security context here (depending on the use case, this may be the sole mechanism for verifying that the CVD file has not been tampered with during distribution through insecure distribution channels), and because of the use of an RSA digital signature (which falls under the purview of FIPS), this MD5 checksum does need to be replaced in order to resolve this issue. Are there any plans to address this specific checksum and digital signature in the CVD file header? @qralston: OpenSSL does have a way to know whether you are using MD5 in a non-cryptographic context: the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag. There is no need to replace the MD5 implementation with a different library, just set that flag whenever you are using MD5 for a non-crypto purpose. clamav is already doing this in some places, like here: https://github.com/Cisco-Talos/clamav/blob/main/libclamav/crypto.c#L191 The problem is that it would NOT be appropriate to set this flag when validating the CVD file itself. Note that clamav already appears to be setting this flag in the code paths for the file "signature" checks and scan verdict caching, which reinforces my statements above that those uses of MD5 do not need to be replaced. However, since it (appropriately) does not set this flag when validating the CVD file itself, freshclam/clamd/clamav currently all fail when loading/verifying the CVD file. |
@PaulSD Thank you for the detailed explanation. I was indeed confused. This helps! I will talk with the team about it. |
@PaulSD wrote:
The If the system was not booted in FIPS mode, even if the system’s default OpenSSL 3.0 configuration only loads the fips provider, you should be able to explicitly load the default and/or legacy providers. But per my experience with attempting to connect to a Wi-Fi network on a RHEL9 / OpenSSL 3.0 laptop booted in FIPS mode, attempts to call cryptographic functions that are not FIPS-validated will fail when the system has been booted in FIPS mode, regardless of what providers you explicitly load. Because that is the entire point of booting a Linux system in FIPS mode: to ensure that all cryptographic providers refuse to provide cryptographic functions that are not FIPS-validated. The bottom line is that in 2023, you must assume that requesting any of (OpenSSL, GnuTLS, NSS, the Linux kernel) to perform legacy cryptographic functions (MD5, SHA-1, et. al.) will fail, with no possibility of avoiding that failure. Migrating clamav to using SHA-2 or (preferably) SHA-3 hash functions, and removing any/all uses of MD5 or SHA-1, should be a priority for clamav development. But as per the hostap mailing list thread (linked above), if you cannot immediately rewrite your code so that it no longer needs to call legacy cryptographic functions, the best stopgap measure is to provide internal implementations of those functions, a la hostap. Finally, I agree with @PaulSD that it is inappropriate to use MD5 to validate the digital signature of a CVD file. MD5 is so hopelessly broken that an attacker with even moderate resources (e.g., an AI/ML system) would likely be able to forge CVD signatures. |
Good point; A lot has changed in OpenSSL 3, and ClamAV has not yet been updated to work around FIPS with OpenSSL 3. In order to resolve this issue on systems using OpenSSL 3, some code updates will also be needed, although I think those will be relatively easy/minor (some details are below). However, I have to disagree with a couple of your other statements. But first, let me start with some additional details on OpenSSL 3:
To show this in action:
To dispute some statements:
As described above, this is due to the That said, I do agree with this statement:
I would argue that implementing your own crypto (even legacy crypto) is never a good idea, and internalizing or statically linking a random non-FIPS-compliant library/implementation just to work around FIPS issues isn't much better.
I agree that modern hash functions are always preferable to obsolete ones, and it would be nice if all uses of MD5 in ClamAV could be replaced. However, let's not make perfect the enemy of good. |
This is preventing me from using ClamAV. What is a workaround? Can I disable signature checking in freshclam? |
We are using RHEL 9 and we have the SAME issue. How can we disable the signature checking or get it working with openssl 3. |
Thank you @barrydegraaff , Will this fix ever get merged before the next clamav release? |
The core issue here is that because ClamAV uses MD5 for cryptographic functions, ClamAV is not FIPS-compliant. Since the entire purpose of running a Linux system in FIPS mode is to ensure that only FIPS-validated cryptography is used, ClamAV should fail to work on a system that runs in FIPS mode. What #959 does is modify ClamAV to represent that all uses of MD5 occur in non-cryptographic contexts (by banning the FIPS provider when fetching an MD5 implementation). This is a chicanery. Metaphorically speaking, this is avoiding being ticketed by a red light camera by spray-painting over the camera, when the correct solution is to stop running red lights. Thus, #959 must be rejected. The only correct solution here is for ClamAV to abandon the use of MD5, SHA-1, and all deprecated cryptographic algorithms in favor of modern cryptographic algorithms. I know that is nontrivial, but as I said in my opening comment, an increasing number of security hardening standards (e.g., DISA STIGs) require FIPS mode. Many of those same standards also require performing malicious code detection. As grateful as we are for ClamAV and to the ClamAV developers, MD5 has been hopelessly broken since 2008; using it in 2023, in any context, is a giant red flag that the software in question does not take security seriously. |
What I think we really need to do is switch over the CVD signing and verification logic from MD5 -> SHA256. In the public clamav code that's mostly Lines 557 to 579 in 5ea0a25
We would also probably want to change the hash variable name from Line 1101 in 5ea0a25
And then change our internal signing tool to use sha256 as well. After that, we'll have to start building and distributing We'll have to do the same with a In addition to this, we're also making an effort to swap from MD5 to SHA256 for our clean file cache. We would also then replace all MD5 signatures for the newer clamav versions with SHA256 signatures. This last item is already on our roadmap. |
Is their any update on this? |
No news. |
I hate to add to the comments of people asking for an update, but figured I would check in since it's been a couple months since the last post. Assuming no new updates to this issue? |
Same issue here. Subscribing to watch for updates and hopefully a resolution. |
Any updates on this issue? |
No news. |
Monthly check-in to see if there might have been some progress here. |
true FIPS support should be a priority for the clamav developers. Especially after waiting all this time. |
My team is going to have to switch to an ugly alternative soon because of this problem. |
Has there been any progress on resolving this issue? |
Second that question. Looking at MS defender now which is scary. Wazuh
seems interesting too.
…On Mon, Apr 8, 2024, 8:47 AM jc05585 ***@***.***> wrote:
Has there been any progress on resolving this issue?
—
Reply to this email directly, view it on GitHub
<#564 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AK7A2O27SEUP6HCU3ZZSU4LY4K3XVAVCNFSM5UUFOJU2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBUGMYDSOBTGA2Q>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I second this. It needs to be addressed ASAP |
It is helpful to see pings on this issue to gauge user interest. I am not going to reply to every monthly ping, however. This request is on our radar and frequently discussed during roadmap planning. But we have limited resources, particularly now. And this is not the only high priority task that we're being pressed for. I want to resolve this issue, but I cannot promise a timeline. |
Thank you for the response. What resources do you need for this task?
My institution figured out how to get crowd strike to make its falcon
client to work in user mode.
Personally, I still want this product to be fips compatible for my person
Linux boxes.
Thank you
…On Thu, Apr 25, 2024, 12:59 PM Micah Snyder ***@***.***> wrote:
It is helpful to see pings on this issue to gauge user interest. I am not
going to reply to every monthly ping, however.
This request is on our radar and frequently discussed during roadmap
planning. But we have limited resources, particularly now. And this is not
the only high priority task that we're being pressed for.
I want to resolve this issue, but I cannot promise a timeline.
—
Reply to this email directly, view it on GitHub
<#564 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AK7A2O4T4BUHHLO3FKA5HJTY7FHBLAVCNFSM5UUFOJU2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBXG44TOMRZGEZQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Here's my ping for real FIPS support. :-) |
Developer headcount, mostly. Off the top of my head... We need research and planning to identify a modern mechanism to sign clamav database archives. Previously I suggested simply switching from MD5 to SHA256. We've talked about it more internally and we'd like to do better. We know we would like to have add support for rotating the signing certificate, which implies support for a root certificate and maybe intermediate certificates. But do we want to use GPG? PKCS? Something else? How would we deploy new public keys? How would we revoke compromised signing certs? Ideally we would add the new CVD2 signing and extraction code in Rust. We likely want to backport it to previous releases, however, so we can get people off of the old CVD format. Another thing to consider is where to store the public key for the signing certs. Presumably we'd bundle the latest public key with ClamAV and then add some mechanism to rotate it through a signature update. Does that mean we need to provide a tiny CVD2 in our git repo that contains the latest signing public key? I'm not sure. Is it even a good idea to store public keys for verifying CVD2's in the same directory? If not, why not? And what is the alternative? We'll also need to write up documentation on how this works, how to make and maintain your own signature archive signing certificates so folks like SaneSecurity could deploy their own signed CVD2 databases. Would this be meaningful to third party signature authors? Or would we be adding complexity for no reason? Something else to consider... ClamAV has a CVD patching feature called CDIFF that extracts a CVD, applies specific line changes to the contained files, and then packages it into a CLD. CDIFF patches are also signed, so we'll certainly have to make a CDIFF2 format. So relating to CDIFF2 patch files, here's it would be really neat if we could bundle the signature for the next CVD2 with a the CDIFF2 patch such that after applying the patch and re-compressing the signature archive, the CVD2 signature is a match. The CDIFF2 patches would have to be perfect, and rely on compression being 100% reproducible. If we could pull this off, then Freshclam could be used to provide all the files necessary to host a private mirror without downloading a whole CVD2 archive every day. This would reduce traffic against the CDN, and we could deprecate the CVDUpdate program. This could also maybe get rid of the CLD files which would reduce confusion from users who are like "Where my CVD go? 😢" But this isn't a blocker. After we finish the implementation for the new CVD2 / CDIFF2, which includes both signing and verification, we'll need to make a bunch of changes to our internal processes to build both the old CVD / CDIFF and new CVD2 / CDIFF2 files. Changes will also be required to devops scripts to deploy them, and to Cloudflare CDN configuration to host them. In short, ... it's a lot. We could use help with recommendations around CVD2 / CDIFF2 design along with a security review of proposed solutions. I'd be open to help with implementation, though I doubt anyone from the community with the required expertise has the time to take on a task of of this size. |
Just having this TODO list is a good start. |
Interesting, I have not experience this. As far as other projects go I have worked with gitlab, ruby bundle audit, and most recently verdaccio. |
Reading the comments here and the fixes proposed, it feels possible that we're making perfection the enemy of the good. While the outline from @micahsnyder gives the long term roadmap, if patch #959 (rejected by @qralston) were instead to be wrapped up inside of a configuration or runtime option, then this would at least allow deliberate execution of Clam inside of a FIPS environment. This option would be disabled by default, but then a user could deliberately allow ClamAV to run in their FIPS environment. It seems like a logical compromise to have a short win for FIPS users while still allowing a long term path to the most correct FIPS compliant solution. |
Ran into same issue testing FIPS on Ubuntu 22.04 which is nearing validation for FIPS 140-3 standard which I can see a lot of orgs moving to from older distributions. |
Updated pull request at #1344 that addresses all this issue and other FIPS compliance issues around database signatures. It should be a complete patch for external, extensible signatures going forward. |
Just wanted to add my 2 cents that we are also running into this issue on RHEL 9 with FIPS enabled (to show more interest in a fix). Any ETA on a fix? |
Our current plan is to fix this with the ClamAV 1.5 release end of this year. |
Is 1.5 planned to be the next LTS version? |
Yes |
Hi @micahsnyder is there a tentative release date for the 1.5 version? (FIPS compliant) |
@itsmelodewyk We'd been hoping to release late this month, but we'll be late. I'm still actively working on the implementation for the new FIPS compliant CVD signing mechanism. Then it will need to be reviewed and tested. After merge, we'll create the release candidate. That should last ~3 weeks before stable release. In short, it may be as early as mid-December or as late as mid-January. |
Describe the bug
ClamAV is completely unusable on certain Linux distributions when FIPS mode is enabled.
The Linux system affected include at least RHEL8 and RHEL9 (beta).
How to reproduce the problem
Build and install ClamAV on a RHEL8 or RHEL9 beta system without FIPS mode enabled. Observe that all ClamAV functionality works.
Reboot the host into FIPS mode (by passing
fips=1
to the kernel).Observe that any attempt to load any of the databases fails:
In this case, the Can't allocate memory error is somewhat of a red herring. The true issue is that when FIPS mode is active, non–FIPS-approved hashing algorithms are disabled, and that includes MD5, which ClamAV uses extensively internally.
This was a known issue, and was already reported back on 2019-10-29 in BZ#12424:
This bug was not carried over to GitHub, so this issue is a continuation of the Bugzilla bug.
The bottom line: in 2022, no software should be using anything other than the SHA2 (SHA-256, SHA-384, SHA-512) and SHA3 family of hashing algorithms. Any use of MD5 and/or SHA-1 should be replaced with SHA2 or later, as both MD5 and SHA-1 are considered by cryptographers to be broken.
An increasing number of security hardening standards (e.g., DISA STIGs) require FIPS mode, so this will only affect more ClamAV users over time.
The text was updated successfully, but these errors were encountered: