Ubuntu
prayer package

Bug #1374731
Comment #2

Comment 2 for bug 1374731

Revision history for this message

Jerry Zhang (jerryzh168) wrote on 2014-10-17: Re: [Bug 1374731] Re: X509 certificate verification problem

Thanks Magnus, we are glad to hear that.

2014-10-17 4:04 GMT+08:00 Magnus Holmgren <email address hidden>:

> You're right, the client code doesn't seem to verify certificates,
> making TLS mostly pointless. However, traffic between prayer/prayer-
> session, prayer-accountd, and the backend LDAP server typically is over
> the loopback interface or at least a trusted LAN, not over the public
> Internet, making the impact low. I'll see what I can do though.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1374731
>
> Title:
> X509 certificate verification problem
>
> Status in “prayer” package in Ubuntu:
> New
>
> Bug description:
> Hostname verification is an important step when verifying X509
> certificates, however, people tend to miss the step when using
> SSL/TLS, which might cause severe man in the middle attack and break
> the entire TLS mechanism.
>
> We believe that prayer-accountd didn't check whether the hostname
> matches the name in the ssl certificate and the expired date of the
> certificate.
>
> We found the vulnerability by static analysis, typically, a process of
> verfication involves calling a chain of API, and we can deduce whether the
> communication process is vulnerable by detecting whether the process
> satisfies a certain relation.
> The result format is like this:
> notice: Line Number@Method Name, Source File
>
> We provide this result to help developers to locate the problem
> faster.
>
> This is the result for prayer-accountd:
> [PDG]ssl_start_client
> [Found]SSL_connect()
> [HASH] 282435988 [LineNo]@ 660[Kind]call-site[Char]
> SSL_connect()[Src]
> /home/roca/workspace/codebase/code/ubuntu_pkg/prayer-accountd/prayer-1.3.4-dfsg1/lib/ssl.c
> [INFO] API SSL_new() Found! --> [HASH] 1396692037 [LineNo]@
> 651[Kind]call-site[Char] SSL_new()[Src]
> /home/roca/workspace/codebase/code/ubuntu_pkg/prayer-accountd/prayer-1.3.4-dfsg1/lib/ssl.c
> [INFO] API SSL_CTX_new() Found! --> [HASH] 3247568991 [LineNo]@
> 410[Kind]call-site[Char] SSL_CTX_new()[Src]
> /home/roca/workspace/codebase/code/ubuntu_pkg/prayer-accountd/prayer-1.3.4-dfsg1/lib/ssl.c
> [Warning] No secure SSL_Method API found! Potentially vulnerable!!!
>
> We don't have a POC because we didn't succeed in configuring this
> software or don't know the way to verify the vulnerability. But
> through the analysis of the source code, we believe it breaks the ssl
> certificate verfication protocol.
>
> for more information about the importance of checking hostname:
> see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
>
> Thanks.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/prayer/+bug/1374731/+subscriptions
>

Thanks Magnus, we are glad to hear that.

2014-10-17 4:04 GMT+08:00 Magnus Holmgren <holmgren@debian.org>:

> You're right, the client code doesn't seem to verify certificates,
> making TLS mostly pointless. However, traffic between prayer/prayer-
> session, prayer-accountd, and the backend LDAP server typically is over
> the loopback interface or at least a trusted LAN, not over the public
> Internet, making the impact low. I'll see what I can do though.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1374731
>
> Title:
>   X509 certificate verification problem
>
> Status in “prayer” package in Ubuntu:
>   New
>
> Bug description:
>   Hostname verification is an important step when verifying X509
>   certificates, however, people tend to miss the step when using
>   SSL/TLS, which might cause severe man in the middle attack and break
>   the entire TLS mechanism.
>
>   We believe that prayer-accountd didn't check whether the hostname
>   matches the name in the ssl certificate and the expired date of the
>   certificate.
>
>   We found the vulnerability by static analysis, typically, a process of
> verfication involves calling a chain of API, and we can deduce whether the
> communication process is vulnerable by detecting whether the process
> satisfies a certain relation.
>   The result format is like this:
>   notice: Line Number@Method Name, Source File
>
>   We provide this result to help developers to locate the problem
>   faster.
>
>   This is the result for prayer-accountd:
>   [PDG]ssl_start_client
>         [Found]SSL_connect()
>         [HASH] 282435988 [LineNo]@ 660[Kind]call-site[Char]
> SSL_connect()[Src]
> /home/roca/workspace/codebase/code/ubuntu_pkg/prayer-accountd/prayer-1.3.4-dfsg1/lib/ssl.c
>         [INFO] API SSL_new() Found! --> [HASH] 1396692037 [LineNo]@
> 651[Kind]call-site[Char] SSL_new()[Src]
> /home/roca/workspace/codebase/code/ubuntu_pkg/prayer-accountd/prayer-1.3.4-dfsg1/lib/ssl.c
>         [INFO] API SSL_CTX_new() Found! --> [HASH] 3247568991 [LineNo]@
> 410[Kind]call-site[Char] SSL_CTX_new()[Src]
> /home/roca/workspace/codebase/code/ubuntu_pkg/prayer-accountd/prayer-1.3.4-dfsg1/lib/ssl.c
>         [Warning] No secure SSL_Method API found! Potentially vulnerable!!!
>
>   We don't have a POC because we didn't succeed in configuring this
>   software or don't know the way to verify the vulnerability. But
>   through the analysis of the source code, we believe it breaks the ssl
>   certificate verfication protocol.
>
>   for more information about the importance of checking hostname:
>   see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
>
>   Thanks.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/prayer/+bug/1374731/+subscriptions
>

Ubuntuprayer package

Comment 2 for bug 1374731

Ubuntu
prayer package