no SSL certificate verify

Bug #1677493 reported by Ruan Linqi on 2017-03-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
r-cran-rsclient (Ubuntu)
Undecided
Unassigned

Bug Description

Hi developers:
    We made a large scale security static analysis on several open source projects, and found some mistakes in r-cran-rsclient_0.7-3. In the @src/cli.c:146:
    static int tls_upgrade(rsconn_t *c) {
    SSL *ssl;
    SSL_CTX *ctx;
    if (first_tls)
 init_tls();
    ctx = SSL_CTX_new(SSLv23_client_method());
    SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
    c->tls = ssl = SSL_new(ctx);
    c->send = tls_send;
    c->recv = tls_recv;
    SSL_set_fd(ssl, c->s);
    /* SSL_CTX_free(ctx) // check whether this is safe - it should be since ssl has the reference ... */
    return SSL_connect(ssl);
  }

  When finish the SSL connect, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee the security.

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers