Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism.
We believe that nagios-plugins-basic didn't check whether the hostname matches the name in the ssl certificate and the expired date of the certificate.
We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for nagios-plugins-basic:
[PDG]np_net_ssl_init_with_hostname
[Found]SSL_connect()
[HASH] 2965878942 [LineNo]@ 60[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
[INFO] API SSL_new() Found! --> [HASH] 3737899610 [LineNo]@ 54[Kind]call-site[Char] SSL_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
[INFO] API SSL_CTX_new() Found! --> [HASH] 26244883 [LineNo]@ 50[Kind]call-site[Char] SSL_CTX_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
[INFO] API SSLv23_client_method() Found! --> [HASH] 1523132904 [LineNo]@ 50[Kind]call-site[Char] SSLv23_client_method ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
[INFO] API SSL_get_peer_certificate() Found! --> [HASH] 316360603 [LineNo]@ 107[Kind]call-site[Char] SSL_get_peer_certificate()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
[Warning] No SSL_get_peer_certificate() && SSL_get_verify_result() APIs found! Potentially vulnerable!!!
We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol.
Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism.
We believe that nagios- plugins- basic didn't check whether the hostname matches the name in the ssl certificate and the expired date of the certificate.
We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for nagios- plugins- basic: net_ssl_ init_with_ hostname SSL_connect( ) call-site[ Char] SSL_connect()[Src] /home/roca/ workspace/ codebase/ code/ubuntu_ pkg/nagios- plugins- basic/nagios- plugins- 1.4.15/ plugins/ sslutils. c call-site[ Char] SSL_new ()[Src] /home/roca/ workspace/ codebase/ code/ubuntu_ pkg/nagios- plugins- basic/nagios- plugins- 1.4.15/ plugins/ sslutils. c call-site[ Char] SSL_CTX_new ()[Src] /home/roca/ workspace/ codebase/ code/ubuntu_ pkg/nagios- plugins- basic/nagios- plugins- 1.4.15/ plugins/ sslutils. c client_ method( ) Found! --> [HASH] 1523132904 [LineNo]@ 50[Kind] call-site[ Char] SSLv23_ client_ method ()[Src] /home/roca/ workspace/ codebase/ code/ubuntu_ pkg/nagios- plugins- basic/nagios- plugins- 1.4.15/ plugins/ sslutils. c peer_certificat e() Found! --> [HASH] 316360603 [LineNo]@ 107[Kind] call-site[ Char] SSL_get_ peer_certificat e()[Src] /home/roca/ workspace/ codebase/ code/ubuntu_ pkg/nagios- plugins- basic/nagios- plugins- 1.4.15/ plugins/ sslutils. c peer_certificat e() && SSL_get_ verify_ result( ) APIs found! Potentially vulnerable!!!
[PDG]np_
[Found]
[HASH] 2965878942 [LineNo]@ 60[Kind]
[INFO] API SSL_new() Found! --> [HASH] 3737899610 [LineNo]@ 54[Kind]
[INFO] API SSL_CTX_new() Found! --> [HASH] 26244883 [LineNo]@ 50[Kind]
[INFO] API SSLv23_
[INFO] API SSL_get_
[Warning] No SSL_get_
We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol.
for more information about the importance of checking hostname: people. stfx.ca/ x2011/x2011ucj/ SSL/p38- georgiev. pdf
see http://
Thanks.