Potential Vulnerability for X509 Certificate Verification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jabberd2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
When using OpenSSL, one needs to follow a certain process to ensure the verification of the certificate is successful. But we believe that jabberd2 didn't follow the correct process of verifying X509 certificate which makes certain attacks possible.
We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for jabberd2:
[PDG]_sx_
[Found]
[HASH] 2773927385 [LineNo]@ 218[Kind]
[Warning] SSL_new() not found!
The result means that jabberd2 uses SSL connection, but it doesn't do this through the SSL_new() API, so the connection will subject to attack since there is no way to verify the certificate this way.
We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol.
for more information about the importance of checking hostname:
see http://
Thanks.
information type: | Private Security → Public Security |
description: | updated |
These SSL_new() ? /github. com/jabberd2/ jabberd2/ search? q=SSL_new
https:/