Äänestysjärjestelmän auditointiraportti 2015 Ja tehdyt toimenpiteet

oc
\V/AV//
J((fl
Jt’(
fl
OULUN
YLIOPISTON
YLIOPPILASKUNTA
OTE KESKUSVAALILAUTAKUNNAN PÖYTÄKIRJASTA 18.9.2015
6 5 Sähköisen äänestysjärjesteLmän auditointiraportti ja toimenpiteet
Vaalijärjestyksen 15 §:n mukaan käytettävän sähköisen vaalijärjestelmän tulee toteuttaa seuraavat ehdot:
1) vaalijärjestelmän tietoturvan taso on riittävä;
2) äänestäjän henkilöllisyys varmistetaan uskottavasti ennen äänestämistä;
3) äänestäjän henkilöllisyyttä ei pystytä jälkikäteen yhdistämään mihinkään tiettyyn anne ttuun ääneen;
4) äänestäjä voi käyttää äänioikeuttaan ainoastaan kerran;
5) vaalijärjestelmään tulee voida suorittaa annettujen äänten ja laskennan tarkistus kuitenkaan
äänestyssalaisuutta vaarantamatta; sekä
6) vaalijärjestelmä perustuu avoimeen lähdekoodiin.
Sähköiselle vaalijärjestelmälle tulee suorittaa aikaisintaan 4 kuukautta ennen vaalipäivää
tietoturvatarkastus, jonka toimittaa keskusvaalilautakunnan nimeämä riippumaton taho. Tämän tahon voi
nimetä myös edustajista. Tietoturvatarkarkastuksesta annettu loppuraportti on julkinen asiakirja sen
saapuessa ylioppilaskuntaan.
KVL käsitteli asiaa kokouksessaan 3/2015 ja päätti tilata auditoinnin Nord Softwarelta. Auditointiraportti on
nyt valmistunut ja siinä esitetyt huomiot on viety tietoon äänestysjärjestelmän tekijöille.
Lauri Heikkinen lähetti raportin pohjalta P5 Manniselle seuraavansisältöisen sähköpostiviestin:
Hei,
nyt olisi nuo kaikki korjaukset tehty. Korjasin juuri nuo tietoturvaan vaikuttaneet viat sekä auditoinnissa
mainitut koodissa olevat bugit mutta en alkanut enään koodin luettavuuteen tai muihin laatu seikkoihin
puuttumaan. Kaiken kaikkiaan aikaa kului noin 8h mukaan laskettuna auditoinnissa avustus.
-
Lauri
P5 Manninen on tilannut päivittänyt serverille lisää tehoa raportissa mainitulla tavalla.
Liite: Auditointiraportti
Esittetijä: PS Manninen
Päätösesitys: Merkitään tiedoksi auditointiraportti
äänestysjärjestelmän kanssa aiotussa aikatauWssa.
ja
Lauri
Heikkisen
sähköpostiviesti.
Edetään
Päätös: Esityksen mukaan.
OULUN YLIOPISTON YLIOPPILASKUNTA
KIRJEET: PL 250,90014 OULUN YLIOPISTO.
VIERAILUT: ERKKI KOISO KANT11LAN KATU, Xl OVI, 2. KRS, 90570 OULU.
PUH: ÷35850 407 9623, TOIMISTO@O’rYFI, WWW.OY’Y.FI
p nord
1.9.2015
age
SOFTWAEIE
Audit report
—
/
OYY Sähköinen äänestysjärjestelmä
Confidential
OYY Sähköinen äänestys Audit
Nord Software Senior Developer Kenneth Söderlund audited the electronic voting
system of OYY (http://vaalit.ovv.fi/) during 31.8.2015 1.9.2015.
—
The focus of the audit was to ensure that basic proper information security was upheld
and that the software was working as it should. At the same time, after discussion with
developer Lauri Heikkinen, Kenneth decided to focus on creating improvement
suggestions as well for the developers.
No project management etc. practices were audited, as it became clear from a discussion
with Lauri Heikkinen that that kind of audit was of no use, as the project team itself has
aiready been disbanded.
For the audit Kenneth used a few open source programs to check for different known
security vuinerabilities, such as SSL-, XSS-, SQL-injection and CSRF-vulnerabilities.
General conclusions
-
-
-
-
-
/ strong recommendations
Fix the few easy-to-fix bugs in the software
Upgrade the server environment ASAP, the current server environment will not he
able to withstand the type of internet traffic the election is going to have
There are some rather serious information security problems with the software, they
should be fixed prior to release
No proper documentation has been done, and further development of the software is
going to he hard without Lauri Heikkinen
The basic code quality is rather shoddy
Server environment
Probiem:
The code repository is straight under the /var/www/ -foider, which is accessible with a
browser. This means, that files and folders like ‘sql•tables” and “.git” can he accessed
with any browser. This makes the server insecure and prone for attacks.
Solution:
Create a new user on the server, for example www, and move the repository under
/home/www/repos/.
Then create symlinks (in —s) only to the necessary files and folders that are needed for
the software to work. This wiIl reduce any possibilities for accessing important files and
folders on the server.
Probiem:
The server itself is quite basic, with minimum hardware. 1CPU with 1GB RAM, wiIl not
handle a bigger load on the server. If there are hundreds of simultaneous users online,
the site might crash, or slow down considerably.
Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki
© Nord Software oy 2015. Ali rights reserved.
—
—
Company 10 F109091295
pj nord
SOFTWARE
Audit report
—
1.9.2015
Page2/
OYY Sähköinen äänestysjärjestelmä
Confidential
Solution:
lncrease RAM at Ieast to 2GB (mayhe even 4GB) and at least add another CPU.
Front-end
Probiem:
javascript
few
a
back-end,
administration
In
the
nuII
app.js:7
of
className’
property
set
Cannot
Uncaught TypeError:
errors
occurs:
Uncaught TypeError: $.bigfoot is not a function (template•adm.php:13)
Solution:
The above errors are easily fixed by changing the code.
1
Websecurify scan
The Websecurify scan did not generate any results for XSS attacks.
2
Subgraph Vega scan
The Vega scan generated the following results:
Hih uriority problems
1) Session Cookie Without Secure Flag
Probiem
Vega has detected that a known session cookie may have been set without the secure
flag.
Impact
Cookies can be exposed to network eavesdroppers.
Session cookies are authentication credentials; attackers who obtain them can get
unauthorized access to affected web applications.
Remediation
When creating the cookie in the code, set the secure tlag to true.
1
http://www.websecurifv.com
2
https://subgraph.com/vea/
Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki
© Nord Software Oy 2015. Ali rights reserved.
—
—
Company ID F109091295
pj nord
1.9.2015
age3/
SOFTWAAE
Audit report
—
OYY Sähköinen äänestysjärjestelmä
Confidentiai
2) SSLv3 Supported (POODLE attack, others)
Probiem
Vega detected server support for SSL 3.0. This versiori of the protocol has numerous
known weaknesses and is considered deprecated in favor of newer versions of TLS.
Some of the known weaknesses can resuit in a compromise ofsensitive data such as user
session tokens.
Impact
Data security is at risk due to multiple known weaknesses in SSL 3.0.
This includes the POODLE attack, which could allow decryption ofsensitive data, such as
session cookies.
it should he noted that an attacker with MITM capabilities may be abie to force clients to
use SSL 3.0.
Remediation
Remove support for SSLv3.
Moziiia has recommended settings for Apache, Nginx, Haproxy and others. These
settings include explicitiy supporting TLS [whiie exciuding SSLv2, SSLv3).
It is likely that the HTTPS server must be restarted for any configuration change to take
effect.
Medium priority probiems
1) Ciient Ciphersuite Preference
Probiem
The server can override ciient ciphersuite prioritization during the TLS handshake. This
is usefui for enforcing better, more secure ciphersuites for ali visiting ciients. Vega has
detected that this is not configured in the server, potentiaily ieaving oider ciients at risk.
Impact
User browsers may select less secure cipher suites creating opportunities for attack.
Remediation
HTTPS server should be configured to enforce server ciphersuite preferences. How this
is configured wili vary by server.
Moziiia has inciuded guidelines for configuring server ciphersuite preference for various
implementations.
Nord Software Oy Runeberginkatu 43 8 12, 00100 Helsinki
© Nord Software Oy 2015. Ali rights reserved.
—
—
Company 10 F109091295
p nord
SOFTWAlE
Audit report
—
1.9.2015
age /
OYY Sähköinen äänestysjärjestelmä
Confidential
Low priority problems
1) Form Password Field with Autocomplete Enabied
Probiem
Vega detected a form that included a password input field. The autocomplete attribute
was not set to off. This may resuit in some browsers storing values input by users Iocaily,
where they may be retrieved by thircl parties.
Impact
A password value may he stored on the local filesystem of the client.
Locally stored passwords could he retrieved hy other users or malicious code.
Remediation
The form deciaration should have an autocomplete attribute with its value set to “off”.
Zed Attack Proxy scan
3
The ZED scan generated the following results:
Medium priority
1) X-Frame-Options Header Not Set
Probiem
X-Frame-Options header is not included in the HTTP response to protect against
‘Clickjacking’ attacks.
Solution
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure its set
on ali web pages returned by your site (ifyou expect the page to he framed only hy pages
on your server (e.g. it’s part of a FRAMESET) then you’li want to use SAMEORIGIN,
otherwise if you never expect the page to be framed, you shouid use DENY. ALLOW
FROM aliows specific websites to frame the web page in supported web browsers).
https://www.owasp.org/index.ohp/OWASP Zed Attack Proxy Proiect
Nord Software oy Runeberginkatu 43 0 12, 00100 Helsinki
© Nord Software IJy 2015. Ali rights reserved.
—
—
Company 1D F109091295
p nord
1.9.2015
age
SOFTWARE
Audit report
—
/
OYY Sähköinen äänestysjärjestelmä
Confidential
Low priority
1)Web Browser XSS Protection Not Enabled
Probiem
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the ‘X
XSS-Protection’ HTTP response header on the web server
Other info
The X-XSS-Protection HTTP response header allows the web server to enahle or disahle
the web browsers XSS protection mechanism. The following values would attempt to
enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The following values would disable it:
X-XSS-Protection: 0
The X-XSS-Protection HTTP response header is currently supported on Internet
Explorer, Chronie and Safari (WebKit).
Note that this alert is only raised if the response body could potentially contain an XSS
payload (with a text-based content type, with a non-zero length).
Solution
Ensure that the web browser’s XSS filter is enabled, by setting the X-XSS-Protection
HTTP response header to 1.
Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki
© Nord Software Oy 2015. Ali rights reserved.
—
—
Company ID F109091295
pj nord
SO F TWA R E
Audit report
—
1.9.20 15
Page 6/7
OYY Sähköinen äänestysjärjestelmä
Confidential
Code quality and coding standards
There is room for improvements in the code quaiity, for exampie, following a coding
standard makes the code more readabie. PSR1/PSR2 is a good standard to follow when
coding PHP. If using a good IDE, the coding standard is usually configurable, and easy to
apply to ali code.
There are practicaliy no comments in the code, which makes it hard to understand what
the software does, if a new person starts working on the project. It’s a good practice to
comment at least functions and ciasses.
There are at least a few typos in the code, which resuits in bugs, for exampie in
controliers/controlier.php:2 12-215:
Here the if-check is for sort-order”, but in the switch-case statement “sortorder” is
used.
In many of the if-checks, only two equai signs (== and !=) are used, which might in some
cases cause unexpected behavior. It is better to use strict checking (=== and 1==)
everywhere. This can he easiiy amended by using coding standards and configure the
editor to use them.
header(’Location: ‘); exit; is used in many of the controller actions, this could be moved
into an own function to reduce code duplication.
In workersontrolier.php:110-113 there are no checks that the electionid is found in the
POST-array, and that it exists. If someone were to change the eiectionid in the HTML
before posting the form, this might resuit in unexpected behavior and even voting in
wrong election.
Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki
© Nord Software Oy 2015. Ali rights reserved.
—
—
Company lD F109091295
pj nord
S0FTWAFE
Audit report
—
1.9.2015
Page7/7
OYY Sähköinen äänestysjärjestelmä
Confidential
Important notes
Probiem:
The election ID can be changed in the HTML form, and no errors are displayed when
posting the form. Tested by creating two elections, changing the election id for one of
them, and then vote empty. This generated no errors whatsoever. When trying to vote in
the same election again, no candidates were shown, only empty vote.
This might resuit in voting on random elections, which are not, or should not be open for
voting.
Solution:
Wherever using POST or GET, always check that you get what you expect. Check that the
ID is set in the array, and then make sure the election id is found. Good practice is also to
enable CSRF validation, which will handle changes in the HTML form and validate the
form.
Nord Software Oy— Runeberginkatu 43 B 12, 00100 Helsinki
© Nord Software Oy 2015. Ali rights reserved.
—
Company ID F109091295