Bug 215499

Summary: A rougue mirror has a illegitimate iso - with corresponding checksum. Attack?
Product: Services Reporter: Ladar Levison <ladar>
Component: FTP/WWW Sites & MirrorsAssignee: FreeBSD Mirror Admin <mirror-admin>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: gitdev, philip
Priority: ---    
Version: unspecified   
Hardware: Any   
OS: Any   

Description Ladar Levison 2016-12-22 21:55:11 UTC 
If you run this command:

wget -q https://download.freebsd.org/ftp/releases/ISO-IMAGES/11.0/FreeBSD-11.0-RELEASE-amd64-disc1.iso && sha256sum FreeBSD-11.0-RELEASE-amd64-disc1.iso && rm FreeBSD-11.0-RELEASE-amd64-disc1.iso 

You get this sha256sum for the iso:

08b12f2dc378f7a61b5469219824c74a2f9faef580acc85ffab45365df79872d

But if you check the Princeton mirror:

wget -q https://mirror.math.princeton.edu/pub/FreeBSD/releases/ISO-IMAGES/11.0/FreeBSD-11.0-RELEASE-amd64-disc1.iso && sha256sum FreeBSD-11.0-RELEASE-amd64-disc1.iso && rm FreeBSD-11.0-RELEASE-amd64-disc1.iso

You get this rogue hash:

f954780bfad208b1c06a61b2bede54bff4bae61e4436c977f6f595ecf006108e

The scary part is that the checksum file:

wget -q https://mirror.math.princeton.edu/pub/FreeBSD/releases/ISO-IMAGES/11.0/CHECKSUM.SHA256-FreeBSD-11.0-RELEASE-amd64

Also contains the rogue hash. I stumbled across this while looking for a reliable/fast https mirror.

For easy cutting and pasting:

[ladar@brothel ~]$ wget -q https://download.freebsd.org/ftp/releases/ISO-IMAGES/11.0/FreeBSD-11.0-RELEASE-amd64-disc1.iso && sha256sum FreeBSD-11.0-RELEASE-amd64-disc1.iso && rm FreeBSD-11.0-RELEASE-amd64-disc1.iso ; wget -q https://mirror.math.princeton.edu/pub/FreeBSD/releases/ISO-IMAGES/11.0/FreeBSD-11.0-RELEASE-amd64-disc1.iso && sha256sum FreeBSD-11.0-RELEASE-amd64-disc1.iso && rm FreeBSD-11.0-RELEASE-amd64-disc1.iso
08b12f2dc378f7a61b5469219824c74a2f9faef580acc85ffab45365df79872d  FreeBSD-11.0-RELEASE-amd64-disc1.iso
f954780bfad208b1c06a61b2bede54bff4bae61e4436c977f6f595ecf006108e  FreeBSD-11.0-RELEASE-amd64-disc1.iso
Comment 1 gitdev 2016-12-23 02:08:00 UTC 
The script on a freebsd system would use curl rather than wget and sha256 rather than sha256sum.
Comment 2 gitdev 2016-12-23 02:11:23 UTC 
FIWI, I confirm that the hash of the iso downloaded from the princeton mirror is as you published.  Maybe the difference is the issue of 11.0-RELEASE and 11.0-RELEASE-p1.
Comment 3 Ladar Levison 2016-12-26 00:58:26 UTC 
I tried searching for the rouge hash using Google before submitting, and didn't get any hits of note. Also, the mirror in question also hosts RC candidates, although I suspect p1 refers to something else.
Comment 4 Glen Barber freebsd_committer freebsd_triage 2016-12-29 21:18:34 UTC 
I have confirmed that the "rogue" checksum is the valid checksum of 11.0-RELEASE before the release needed to be re-rolled.  So, the issue here is a stale mirror.
Comment 5 Glen Barber freebsd_committer freebsd_triage 2016-12-29 21:22:59 UTC 
(In reply to Ladar Levison from comment #0)
> If you run this command:
> [...]
> But if you check the Princeton mirror:
> 

Where did you find this mirror?  It is not in the list of mirrors in our zone files, and in order to get the mirror back in sync, need to contact them.
Comment 6 Xin LI freebsd_committer freebsd_triage 2016-12-29 21:24:34 UTC 
(In reply to Ladar Levison from comment #0)
The "rouge" hashes were legitimate ones for the initial 11.0-RELEASE (before 11.0-RELEASE-p1 was published as 11.0-RELEASE), as found in my email archive.  These images should not be used as they lack important fixes, but we do not believe there is anything malicious either, because they were actually built by re@ except they are not "blessed" as the official release.

Please note that the checksum files on FTP are provided for verification if there are any *unintentional* corruptions ONLY.  The PGP signed announcement is a better place to verify if the checksums are genuine.
Comment 7 Ladar Levison 2016-12-30 15:52:42 UTC 
`(In reply to Xin LI from comment #6)

I was in the process of scripting the creation of a FreeBSD virtual machine image suitable for testing my mail daemon, In theory, I want to find and eliminate any issues running it atop FreeBSD sooner, rather than later.

To that end, I needed to setup a URL and sha256 hash for the installation ISO, and wanted a fast mirror with https support, and all I found on the website was an ftp link. 

So I checked a couple of the larger mirrors I knew supported https already, and that's how I stumbled across the Princeton mirror. (I couldn't find a list of https mirrors on the website either.) When I ran the build process, it failed with a hash mismatch, since I had set it up with the official announcement hash.

I ended up using the following URL:

https://download.freebsd.org/ftp/releases/ISO-IMAGES/11.0/FreeBSD-11.0-RELEASE-amd64-disc1.iso

Which seems to provide a fast https source, although I can't tell if it's a mirror, using a dns round robin, and all the mirrors have your tls certificate, or I'm pulling from the master.

L~
Comment 8 Glen Barber freebsd_committer freebsd_triage 2016-12-30 17:26:37 UTC 
(In reply to Ladar Levison from comment #7)
> I ended up using the following URL:
> 
> https://download.freebsd.org/ftp/releases/ISO-IMAGES/11.0/FreeBSD-11.0-
> RELEASE-amd64-disc1.iso
> 
> Which seems to provide a fast https source, although I can't tell if it's a
> mirror, using a dns round robin, and all the mirrors have your tls
> certificate, or I'm pulling from the master.
> 

The Project-operated mirrors (download.freebsd.org) are geographically distributed, and use the same TLS certificate.  There is no longer a singular "master" mirror.