Trail of Bits
Audit Open Original ↗

SecureDrop

Type

Security review

Client

Freedom of the Press Foundation

Date

2020-12

Domain

AppSec

Effort

8 wks

Section

Technology Product Reviews

Trail of Bits's security review of Freedom of the Press Foundation (Dec 2020) identified 26 issues: 1 high, 6 medium, 7 low, and 12 informational.

Findings · 26

  1. 1 Incorrect TOR_V2_AUTH_COOKIE_REGEX regular expression when validating config Informational
  2. 2 Verifying Qubes installation media is confusing and error-prone Informational
  3. 3 Only support Intel hardware, as AMD appears to lack suficient testing Informational
  4. 4 The order of operation in the safe_mkdir function allows an attacker to create the directory with broader permissions Low
  5. 5 The downloaded submission may end up in an overly permissioned directory Low
  6. 6 Qubes qrexec tools handle libvchan_recv and libvchan_send return values inconsistently Informational
  7. 7 Whonix.NewStatus Qubes RPC should be redesigned Informational
  8. 8 The oline mode doesn't require any authentication Low
  9. 9 Downloaded submissions have too broad permissions Low
  10. 10 Passwordless root access in VMs Low
  11. 11 qrexec-daemon in Qubes >= 4.1 could misidentify policy engine replies Informational
  12. 12 The sd-app downloads submission to a file path fully trusted from the server, allowing for path traversal High
  13. 13 The migration script adds non-existent path to sys.path Informational
  14. 14 The sd-proxy and sdclientapi allows duplicate JSON keys Informational
  15. 15 Backup files remain valid policies Low
  16. 16 The securedrop-export in sd-devices unpacks incoming archives in a way that allows for placing unpacked files in arbitrary paths Medium
  17. 17 An arbitrary file write allows adding or overwriting mime types handlers in any SecureDrop VM Medium
  18. 18 The sd-app VM can call many diferent apps in sd-devices Medium
  19. 19 The sd-viewer DispVM can DoS Qubes OS Medium
  20. 20 Redundant AppArmor policy entries Informational
  21. 21 Some spawned processes are not waited upon or terminated which may lead to resource leaks in certain scenarios Informational
  22. 22 The authorization key is valid for 8 hours Low
  23. 23 The export UI reports an inaccurate error for exporting to external usb with more than one partition Informational
  24. 24 The validate_config script uses assertions that may be optimized out Informational
  25. 25 Sysctl kernel configuration hardening Medium
  26. 26 Hardening of SecureDrop applications Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related