X509 certificate verification problem
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nagircbot (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism.
We believe that nagircbot didn't check whether the hostname matches the name in the ssl certificate and the expired date of the certificate.
We found the vulnerability by static analysis, typically, a process of verfication involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for nagircbot:
[PDG]ssl_handshake
[Found]
[HASH] 3864143967 [LineNo]@ 17[Kind]
[Warning] SSL_new() not found!
To verify the result:
1.choose a irc website
2.Find the ip of the website, and add the line in /etc/hosts
"IP FakeHostnameOfT
3.nagircbot -c \#nagircbot -s fake.irc:6697
The connection is established, indicating nagircbot didn't check the hostname of the server against the certificate.
Also for expired time check,
1. change the system time to 2200 to guarantee the certificate to be expired.
2. nagircbot -c \#nagircbot -s irchostname:6697
The connection is established again and no warning was given, indicating nagircbot didn't check whether the certificate expired or not.
I am running nagircbot 0.0.33-2 in ubuntu 14.04 LTS.
for more information about the importance of checking hostname:
see http://
Thanks.
information type: | Private Security → Public |
information type: | Public → Public Security |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res