[Bug 1380231] Re: Potential Vulnerability for X509 Certificate Verification

Jerry Zhang jerryzh168 at gmail.com
Mon Oct 13 09:17:39 UTC 2014


Thanks for your reply.

Sorry, I don't think that we can reach this conclusion from the
analysis. I've deleted that in the report now. This happens because we
are using a template to report this kind of problems.

But about checking the hostname, are you going to act on it or you have
a reason for not doing so?

** Description changed:

  Hostname verification is an important step when verifying X509
  certificates, however, people tend to miss the step when using SSL/TLS,
  which might cause severe man in the middle attack and break the entire
  TLS mechanism.
  
  We believe that nagios-plugins-basic didn't check whether the hostname
- matches the name in the ssl certificate and the expired date of the
- certificate.
+ matches the name in the ssl certificate.
  
  We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
  The result format is like this:
  notice: Line Number at Method Name, Source File
  
  We provide this result to help developers to locate the problem faster.
  
  This is the result for nagios-plugins-basic:
  [PDG]np_net_ssl_init_with_hostname
- 	[Found]SSL_connect()
- 	[HASH] 2965878942 [LineNo]@ 60[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
- 	[INFO] API SSL_new() Found! --> [HASH] 3737899610 [LineNo]@ 54[Kind]call-site[Char] SSL_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
- 	[INFO] API SSL_CTX_new() Found! --> [HASH] 26244883 [LineNo]@ 50[Kind]call-site[Char] SSL_CTX_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
- 	[INFO] API SSLv23_client_method() Found! --> [HASH] 1523132904 [LineNo]@ 50[Kind]call-site[Char] SSLv23_client_method ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
- 	[INFO] API SSL_get_peer_certificate() Found! --> [HASH] 316360603 [LineNo]@ 107[Kind]call-site[Char] SSL_get_peer_certificate()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
- 	[Warning] No SSL_get_peer_certificate() && SSL_get_verify_result() APIs found! Potentially vulnerable!!!
+  [Found]SSL_connect()
+  [HASH] 2965878942 [LineNo]@ 60[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
+  [INFO] API SSL_new() Found! --> [HASH] 3737899610 [LineNo]@ 54[Kind]call-site[Char] SSL_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
+  [INFO] API SSL_CTX_new() Found! --> [HASH] 26244883 [LineNo]@ 50[Kind]call-site[Char] SSL_CTX_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
+  [INFO] API SSLv23_client_method() Found! --> [HASH] 1523132904 [LineNo]@ 50[Kind]call-site[Char] SSLv23_client_method ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
+  [INFO] API SSL_get_peer_certificate() Found! --> [HASH] 316360603 [LineNo]@ 107[Kind]call-site[Char] SSL_get_peer_certificate()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
+  [Warning] No SSL_get_peer_certificate() && SSL_get_verify_result() APIs found! Potentially vulnerable!!!
  
  We don't have a POC because we didn't succeed in configuring this
  software or don't know the way to verify the vulnerability. But through
  the analysis of the source code, we believe it breaks the ssl
  certificate verfication protocol.
  
  for more information about the importance of checking hostname:
  see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
  
  Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nagios-plugins in Ubuntu.
https://bugs.launchpad.net/bugs/1380231

Title:
  Potential Vulnerability for X509 Certificate Verification

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/1380231/+subscriptions



More information about the Ubuntu-server-bugs mailing list