[Bug 1376595] Re: X509 certificate verification problem

Sun Oct 5 19:57:04 UTC 2014

** Also affects: freetds (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: xfce4-mailwatch-plugin (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to freetds in Ubuntu.
https://bugs.launchpad.net/bugs/1376595

Title:
  X509 certificate verification problem

Status in “freetds” package in Ubuntu:
  New
Status in “scrollz” package in Ubuntu:
  New
Status in “xfce4-mailwatch-plugin” package in Ubuntu:
  New

Bug description:
  Hostname verification is an important step when verifying X509
  certificates, however, people tend to miss the step or to
  misunderstand the APIs when using SSL/TLS, which might cause severe
  man in the middle attack and break the entire TLS mechanism.

  We believe that scrollz didn't check whether the hostname matches the
  name in the SSL certificate and the expired date of the certificate.

  We found the vulnerability by static analysis, typically, a process of
  verification involves calling a chain of API, and we can deduce
  whether the communication process is vulnerable by detecting whether
  the function call process matches a certain model. For example, when
  using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE,
  null), we should verify the certificate by calling the function
  SSL_get_peer_certificate() to get the certificate. If the source code
  does not match this model, then we can deduce this code is vulnerable.
  What’ more , Gnutls is the same as Openssl.

  Static analysis result :
  /scrollz-2.1/source/server.c login_to_server() have problems.

  We provide this result to help developers to locate the problem
  faster.

  To verify the result:
  一.Hostname verification
  1. write the file /etc/hosts in order to simulate DNS hijack:
  64.32.24.176	irc.mibbit.net
  46.137.23.30	chat.freenode.net
  (PS：exchange the ip between these two irc servers)

  2. connecting chat.freenode.net with scrollz
  /server -ssl irc.mibbit.net:6697

  3. result : we connected irc.mibbit.net!!

  The fetch succeeded, indicating srcollz didn't check the hostname
  against the signee of the certificate.

  二. Also for expired time check,
  1. change the system time to 2200 to guarantee the certificate to be expired.
  2. run scrollz to connect a normal irc server, such as irc.mibbit.net(46.137.12.30)
  3. result : connect succeed!!

  The fetch succeeded again and no warning was given, indicating scrollz
  didn't check whether the certificate expired or not.

  I am running scrollz 2.1-1.1 in ubuntu 14.04 LTS.

  for more information about the importance of checking hostname:
  see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1376595/+subscriptions