Page MenuHomePhabricator
Create Task
Maniphest T289899

Security Review For Mailman3 / lists.wikimedia.org
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
Mailman3 is a rich mailing list suite, with email and web interfaces. Mailman2 was notoriously insecure, but we've also found issues with Mailman3 that are concerning and could use a deeper review.

Description of how the tool will be used at WMF:

Powers lists.wikimedia.org, facilitates public and private/sensitive discussions across wide groups of Wikimedians.

Dependencies
Technologies used:

  • Exim
  • Python/uwsgi
  • MariaDB
  • Apache httpd

Key Python dependencies:

  • SQLAlchemy
  • django
  • falcon

The rest should be specified in the corresponding setup.py files (it's a longish tree).

Has this project been reviewed before?
I am not aware of a formal review, certainly has happened informally.

Working test environment
A test environment is available in Cloud VPS: https://polymorphic.lists.wmcloud.org/postorius/lists/. Using the Puppet role is generally the best way to get our setup replicated.

Related Objects

Event Timeline

Legoktm created this task.Aug 27 2021, 10:58 PM
Restricted Application added a project: secscrum. · View Herald TranscriptAug 27 2021, 10:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Peachey88 added a subscriber: Peachey88.Aug 27 2021, 11:01 PM
Zabe added a subscriber: Zabe.Aug 27 2021, 11:35 PM
sbassett triaged this task as Low priority.Aug 30 2021, 3:49 PM
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Incoming to Back Orders on the secscrum board.
sbassett added a subscriber: sbassett.

Per IRC convo, we'll try to source a vendor for this work. Dropping in our back orders as a low priority for now.

MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.Sep 9 2021, 3:39 PM
taavi added a subscriber: taavi.Sep 9 2021, 6:59 PM
sbassett added a comment.Oct 5 2021, 5:33 PM

So, full disclosure, this doesn't really have a path through the Security-Team at this point. We can help provide guidance on selecting an external vendor and working with them to complete a security review. Please let us know if any of the maintainers of this project would like to explore that option.

Legoktm added a comment.Oct 5 2021, 6:23 PM

I'd still like to get this reviewed somehow, given how much private information is passing through it.

sbassett added a comment.Oct 5 2021, 6:46 PM
In T289899#7403249, @Legoktm wrote:

I'd still like to get this reviewed somehow, given how much private information is passing through it.

I'd say the best approach right now might be to see if SRE has any funding available for a vendor. If yes, we can help source proposals from some of our existing vendors or help source a vendor who might be a good fit for this work.

Legoktm added a subscriber: wkandek.Oct 5 2021, 9:17 PM
JBennett added a subscriber: JBennett.Oct 13 2021, 5:31 PM
In T289899#7403249, @Legoktm wrote:

I'd still like to get this reviewed somehow, given how much private information is passing through it.

What private info do we have flowing thru mailman? What kind of assessment did you have in mind? Seems to me like a code review is not going to happen but we might be able to provide either some risk assessment (security/privacy), threat modeling or other consultative service to help surface and address any concerns. Additionally, we are in the process of onboarding a new pen testing vendor that could potentially have some cycles available for them to look at this but it would be good to wrap our heads around a scope. Happy to grab some time for us to chat if it's helpful.

Legoktm added a comment.Oct 14 2021, 5:57 PM
In T289899#7425529, @JBennett wrote:
In T289899#7403249, @Legoktm wrote:

I'd still like to get this reviewed somehow, given how much private information is passing through it.

What private info do we have flowing thru mailman?

Board, legal, VTRS, functionaries/CU/oversight, ops, and quite a few other private/sensitive mailing lists. Some of these do keep archives in hyperkitty which increases the potential attack surface.

What kind of assessment did you have in mind?

A code review mostly. Just to give an idea of the issues we've had with Mailman3 so far:

There was one more issue (missing access control again) that was recently disclosed but never made it into a release and therefore didn't affect us:

A new vulnerability was reported against Hyperkitty’s git master branch branch which can expose the archives of a private Mailing List through the new Feeds API that was added to Hyperkitty recently to someone who isn't a member or logged-in.

I would have expected a code review to have caught the last 3 issues mentioned.

Also worth pointing out that some parts of Mailman3 are mostly copied out of Mailman2, and well, I think Mailman2's security track record speaks for itself.

Seems to me like a code review is not going to happen but we might be able to provide either some risk assessment (security/privacy), threat modeling or other consultative service to help surface and address any concerns. Additionally, we are in the process of onboarding a new pen testing vendor that could potentially have some cycles available for them to look at this but it would be good to wrap our heads around a scope. Happy to grab some time for us to chat if it's helpful.

Personally I am comfortable with our current deployment in that security wise it's a big step up from Mailman2, but my suspicion is that if someone does look closely they might find other issues. We will probably be fine if we just continue to follow the upstream announcement mailing list and patch as issues are disclosed. I was also hoping this would be a good opportunity for us to support an allied/friendly free software project that we've depended on for 2+ decades now. Our Mailman setup is mostly vanilla upstream (once we catch up with the latest upstream releases that is: T286217), so a review of it would be a review of upstream basically. There have been enough moments (both security and not-security) where we asking "how has no one else run into this?" which leads me to believe no one has recently done an audit or review of Mailman3.

I am not really sure if the blocker right now is funding or resourcing/people's time or something else. After T289899#7403334, I asked @wkandek to see what our options for funding in SRE are. Or maybe we can look into the funds that were set aside for supporting other free software projects. In any case, I'm also fine for this to just sit in the backlog until we can get something figured out, there's really no urgency IMO.

sbassett added a comment.Nov 4 2021, 7:45 PM

Untagging secscrum as this seems a bit stalled and shouldn't be on our active review board. I've left Application Security Reviews in case this work is advanced at some point in the future.

akosiaris added a subscriber: akosiaris.Nov 25 2021, 2:22 AM
sbassett assigned this task to Mstyles.Apr 25 2022, 6:05 PM
sbassett moved this task from Back Orders to Vendor Confirmed on the secscrum board.
sbassett added a subscriber: Mstyles.

Hey all - I believe this review is to be scheduled with an external vendor at some point within the near future. @Mstyles should have more information for you about this engagement soon. Thanks.

Mstyles added a comment.Apr 26 2022, 4:49 PM

We're planning to get this project vendor reviewed and will comment on here when we have clearer dates for that

sbassett moved this task from Vendor Confirmed to In Progress on the secscrum board.Apr 26 2022, 4:50 PM
sbassett moved this task from In Progress to Vendor Confirmed on the secscrum board.
sbassett moved this task from Vendor Confirmed to In Progress on the secscrum board.May 31 2022, 4:54 PM
Mstyles added a comment.May 31 2022, 4:55 PM

Kickoff Meeting was held on May 19 and tested was started by vendor

RhinosF1 added a subscriber: RhinosF1.Jun 20 2022, 2:09 PM
Mstyles added a comment.Jun 21 2022, 4:51 PM

The security assessment is complete and the report review will happen on Wednesday, June 22.

Legoktm added a comment.Jun 26 2022, 2:42 AM
In T289899#8017359, @Mstyles wrote:

The security assessment is complete and the report review will happen on Wednesday, June 22.

Awesome! How did the review go? Could I get a copy of the report as well?

akosiaris added a comment.Jun 27 2022, 12:41 PM
In T289899#8027340, @Legoktm wrote:
In T289899#8017359, @Mstyles wrote:

The security assessment is complete and the report review will happen on Wednesday, June 22.

Awesome! How did the review go? Could I get a copy of the report as well?

We had to reschedule due to some unavailability unfortunately. I 'll let you know once we have done the review.

sbassett moved this task from In Progress to Waiting on the secscrum board.Jul 5 2022, 5:01 PM
Mstyles added a comment.Jul 6 2022, 5:47 PM

The report should go out by the end of this week @Legoktm, I'll make sure to include you on the email. I do want to have a follow up meeting next week to go over the items that were found. Hopefully we can get some time with @akosiaris and @Ladsgroup

Mstyles added a comment.Jul 19 2022, 5:15 PM

The review meeting for the report is happening July 20. Any other follow up tickets that need to be created besides https://phabricator.wikimedia.org/T312506 will be discussed then.

Mstyles closed this task as Resolved.Jul 27 2022, 3:41 PM
Mstyles moved this task from Waiting to Our Part Is Done on the secscrum board.

All issues from the report have been shared with the Mailman 3 contributors. Marking this task as complete

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL