CVE-2021-3711

[raccooox]

Hi

does anyone know when the vulnerability CVE-2021-3711 will be fixed?

Found in GLPI Agent v 1.4

[g-bougard]

Hi @hangloose85

when talking about security you should always talk about the concerned operating system. I guess you're talking about GLPI Agent on windows. Actually, on this OS, the agent is provided with the openssl library built for StrawberryPerl 5.32 which is the 1.1.1i and so yes, it is concerned by this CVE.
We can't actually upgrade this library by ourself as Strawberry perl project is in a strange state with a main contributor take-over. It can take few time until he decides to rebuilt that lib.

As far I know, but I'm not an expert, this CVE has no known exploit and even less with the agent as target.

Anyway, I read carefully the CVE description and also this Sophos article. IMHO, this flow is really not critical in the agent context:

• most time, agent can be a SSL client for your GLPI server if you're using SSL on your GLPI server. I don't think you want to exploit this CVE against your agents. Indeed, agent is generally used in a context you just trust the GLPI server. When this is not the case, you can use a script to generate locally the inventory file and use another not vulnerable program to submit the inventory to the GLPI server you think you shouldn't trust.
• In the extreme case, someone is attacking you with a man-in-the-middle attack against your trusted server... this still means you are still running in a wrong way. Such guy could then receive agent requests telling them to use SM2 algorithm and the MITM server can try to attack agents this way. But as Sophos article is pointing it, the exploit is extremely difficult and attackers always search for less difficult vulnerabilities.
• in the remoteinventory context, you may have configure a WinRM over SSL access to inventory a windows computer remotely. As for GLPI server, you generally trust the remote computer and a MITM attack is probably possible but extremely difficult.
• in another case, you may want to enable the SSL layer on the embedded httpd interface. But it is not enabled by default. And for such purpose, you can really just authorize trusted ip tuning the system firewall. Also as pointed by the Sophos article, the SM2 algorithm is not actually used by default. So on server side, you must explicitly configure its using, which it's actually not the case. So I think we can ignore that context as possible attack way.

I can also tell you the agent won't access any external public server you are not aware about. It may be possible in the future for a feature like auto-update, but this won't enabled by default.

That said and to answer your primary "when will it be fixed ?" question, I know it will be in a near future as I'm monitoring the StrawberryPerl project for such updates, and the project is not dead. I think it will be fixed during the next 6 months but I can't tell for sure. For sure, I can tell you a fixed nightly build will be available as soon as an openssl library update is available from the StrawberryPerl project.

If you have some budget to invest, you can also contact us with your GLPI subscription to request we work on an earlier fix.

P.S.:

• MacOSX builds are not concerned as we are building a dedicated perl with the latest OpenSSL 3.0.7 version,
• for linux versions:
  • they are mostly using system libraries, so keep your OS updated.
  • I'm not sure for AppImage & Snap builds, but I think they are using a fixed version.

[g-bougard]

Hi @raccooox

I worked on the packaging building process so we can include our chosen libraries. From now, we will include OpenSSL 3.2.1. So future releases won't anymore be concerned by this CVE.

I still have some works planed on the windows packaging before the next release which will be 1.8, but the next release should happen in the next few weeks.

[g-bougard]

Latest 1.8 release is now including OpenSSL 3.2.1 on Windows.