[Servercert-wg] Ballot SC29: System Configuration Management

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Apr 1 03:36:28 MST 2020 


On 2020-03-30 2:38 μ.μ., Neil Dunbar via Servercert-wg wrote:
>
> On 30/03/2020 11:07, Dimitris Zacharopoulos (HARICA) via Servercert-wg 
> wrote:
>
>> We had an internal discussion at HARICA and focused mainly on the OS 
>> security patching process. Here are some of the team's observations:
>>
>>  1. Security patches, especially for 0-day exploits, should be
>>     applied as soon as possible. Human review in most cases adds
>>     unnecessary delay and increases the risk of the CA being
>>     vulnerable to attacks.
>>
> It's not at all clear to me that this is the case. However, it might 
> help to understand what the notion of "review" means in this case. I 
> suspect that we're coming at this word from different angles.
>
> Emergency Change Orders are a well known phenomenon in most workflows. 
> Now - they _should_ be painful (ie, a senior manager or director 
> should be approving the change) because that acts as a discouragement 
> to fast-track proper testing via the ECO mechanism.
>

The team considers this "Emergency Change Order" to cause unnecessary 
delay in some cases, for some categories of OS patches (e.g. security 
updates). Whenever the vendor has patches that *the vendor* labels as 
security updates, we would like to have the option for these patches to 
be applied as soon as possible, without requiring additional human 
review by the CA.

Just to avoid any misunderstanding, only existing installed packages 
would be updated. This would not invoke installation of new packages 
(e.g. bluetooth packages or other unwanted software). Servers that 
follow the NSRs 1g already ensure that only the utmost necessary 
software is installed.

We would also like to remind everyone that this ballot affects 
"Certificate Systems, Issuing Systems, Certificate Management Systems, 
Security Support Systems, and Front-End / Internal-Support Systems", 
which covers almost every system under the CA's PKI management.


>>  1. Human review doesn't scale as the number of Systems increase.
>>     Automation is the only way to handle large number of Systems.
>>
> Well, no one is asking for a per-system review. If you host a curated 
> mirror of your vendor's upstream patches, then the current automation 
> systems would work with virtually no alteration - just a repository 
> change.

We don't disagree that for some packages this manual approval process is 
an improvement. We disagree that this needs to be done for all cases, 
like OS vendor security patches.

>>  1. Human review of patches for so many different OS components,
>>     sometimes without enough details or the source code available, is
>>     too difficult to be done correctly and humans do make mistakes.
>>
> Of course - so do OS vendors! But again - what do we mean by "review". 
> I don't understand it to be a line-by-line formal code analysis. The 
> issue at hand is whether the OS vendor is addressing a security issue 
> which the CA is likely to suffer from, and that the patches produced 
> don't introduce any extra vulnerability which the CA cannot tolerate.
>

This decision must be left for the CA to make based on its risk 
assessment. The potential introduction of "extra vulnerability" vs "real 
and existing vulnerability" leans towards mitigating the "real and 
existing vulnerability". Historically, the cases where an OS vendor 
introduce additional vulnerabilities are very rare. Can you give us some 
examples of cases where the vendor introduced new vulnerabilities when 
trying to mitigate patch existing ones?


> To accept a patch - at least to me - means that you are aware of the 
> issue which the patch seeks to address (ie, you've looked at the 
> changelog); you've determined that you are likely to suffer from the 
> asserted vulnerability; you decide that the exploit of the 
> vulnerability is an unacceptable risk; that you believe that the 
> vendor has sufficient QA processes in place not to introduce further 
> unacceptable vulnerabilities while deploying the updated software; and 
> that you know how to roll back the change in the event that it either 
> does not work or introduces unacceptable changes in your systems. 
> [There are probably more steps in there, but those are the major ones, 
> to my thinking].
>

The belief that the vendor has sufficient QA process has already been 
determined/decided when the CA decided to accept this vendor as.... a 
trusted vendor :-)

I think our misunderstanding is about the generic use of the term 
"vendor". Our concerns are more focused on OS vendors that the CA trusts 
for doing a good job in addressing security risks at the OS level, doing 
a good job at QA and has a history of delivering security 
updates/patches that do not introduce additional vulnerabilities. CAs 
should be allowed to make this decision once and not daily by 
approving/screening security updates that are critical for the stability 
and safety of the CA systems.

Of course it's up to the CA to have revert mechanisms if a security 
patch "breaks" something, but that's the responsibility of the CA and we 
should not be so prescriptive about it in the requirements.

In our understanding, installing security patches without undue delay is 
more secure for the overall security which ultimately benefits the 
end-users. This is the one automation that can be done securely and 
unattended for the benefit of the ecosystem. In most cases the risk of 
being "down" is smaller then the risk of being "vulnerable". Also, a CA 
can implement a series of compensating controls that can prevent a 
system from being "down" in those rare cases.

> Put another way - if you knew that a patch addressed a vulnerability 
> in the Bluetooth stack on a host, but you have no Bluetooth equipment 
> in your array, then isn't patching something with no avenue of 
> exploitation a source of risk? And if so, is that risk then 
> acceptable? It may, or may not be, but I think an auditor would at 
> least want to see that someone had made that judgement call.
>

Again, we are not discussing about upgrading something that is outside 
the installed software stack. According to NSRs 1g, only necessary 
software should be installed in the first place. But, just to entertain 
the idea, and assuming we have allowed the Bluetooth stack to remain 
installed, what potential "harm" would you see if a patch for the 
Bluetooth stack were installed unattended?



>>  1. The risk of being non-functional is of lesser importance and
>>     potential impact, compared to the risk of remaining vulnerable
>>     while waiting for a human review.
>>
>> We believe that OS patches, digitally signed by the software vendor 
>> and provided through secure channels, MUST be allowed as a dully 
>> approved Change Management Policy practice, to be applied without 
>> employing a human review process. Such updates and patches are 
>> beforehand thoroughly tested by the software vendors themselves and 
>> the CA staff should be discouraged to duplicate such a process with 
>> dubious results.
>>
> Again - I don't think anyone is asking for the CAs to _duplicate_ the 
> QA processes of the software vendor - merely to be assured that the 
> patches which are going to be installed are proportionate to the risk 
> being mitigated.
>

If a CA trusts the OS vendor for its QA process and its security 
practices, the CA probably doesn't need to repeat this process. Also, it 
is possible that for some cases, the CA has pre-determined (via its 
Change Management Policy) that the risks being mitigated from security 
OS patches outweigh the risks of "breaking" things.

> For the vast majority of (non-emergency) patches which get applied - 
> surely we apply them to test systems before we go live on production? 
> Isn't that part of a proper review?
>

Repeating our previous statement, in most cases the risk of being "down" 
is smaller then the risk of being "vulnerable" and there are several 
compensating controls the CA can implement to mitigate this issue.

> And I would be horrified to learn if CAs are installing software right 
> now _without_ ensuring that software's authenticity and integrity!
>

So would we :-)

>> The recommended change in 1.h:
>>
>> "Ensure that the CA’s security policies encompass a Change Management 
>> Process, following the principles of documentation, approval and 
>> testing, and to ensure that all changes to Certificate Systems, 
>> Issuing Systems, Certificate Management Systems, Security Support 
>> Systems, and Front-End / Internal-Support Systems follow said Change 
>> Management Process;"
>>
>> doesn't seem to clearly allow this practice. We cannot support a 
>> ballot that enforces manual human review in applying OS patches which 
>> puts systems at risk, even for a short amount of time.
>
> I think that it does allow the practice, even for urgent changes - 
> most Change Management Systems encompass the notion of Emergency 
> Change Orders. The review can be as little as "we cannot accept the 
> vulnerability existing a moment longer; the vendor has produced patch 
> X; fire up an ECO and phone the Chief Operating Officer because the 
> risk of not deploying the patch is greater than the risk of deploying it".
>

We believe that all security OS patches should be considered "ECO". 
*Security *vulnerabilities are introduced quite frequently (several days 
per week). CAs have publicly accessible systems that are scanned 
constantly in search of vulnerabilities.

> I guess that my question then boils down to this: other high risk or 
> high accountability institutions have rigorous change order management 
> processes, which encompass emergency changes too - isn't the onus on 
> CAs to explain why their business is so radically different so as not 
> to be a proper fit for such widespread processes?
>

The same applies to ACME implementations that push for more automation. 
Manually approving updates is not a one-size-fits-all solution. Yes, 
there are some more critical systems that would make sense to have 
manual approvals of security updates but some others would be better 
(best practice) if the security updates were applied as quickly as 
possible (with or without the curated mirror you proposed). We suggest 
keeping the time between when a patch is available to when the patch is 
installed, to a minimum. Regardless of how many humans are in the 
decision process, we believe that some systems would be more secure if 
there were no manual approvals by humans for security patches.

We hope to have provided a clear view of our position and why we see 
real security benefit from quick and automated installation of OS 
security patches.


Best regards,
Dimitris.

> Regards,
>
> Neil
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200401/da6967fd/attachment.html>

More information about the Servercert-wg mailing list