Bug 1005325 (CVE-2013-4314)

Summary: CVE-2013-4314 pyOpenSSL: hostname check bypassing vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, abaron, amarecek, aortega, apevec, ayoung, btotty, chrisw, dallan, gkotton, henri, jkurik, jlieskov, jruzicka, lhh, markmc, mcepl, nlevinki, pfrields, rbryant, rfortier, rhos-maint, rhs-bugs, sclewis, ssaha, tmraz, vbellur, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pyOpenSSL 0.13.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-24 10:07:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1005428, 1006138    
Bug Blocks: 1005327    

Description Vincent Danen 2013-09-06 16:24:39 UTC 
The pyOpenSSL module implements hostname identity checks but it did not properly handle hostnames in the certificate that contain null bytes.  In all releases prior to 0.13.1, the string formatting of subjectAltName X509Extension instances incorrectly truncated fields of the name when encountering the null byte.

When a CA than an SSL client trusts issues a server certificate that has a null byte in the subjectAltName, remote attackers can obtain a certifcate for 'www.foo.org\0.example.com' from the CA to spoof 'www.foo.org' and conduct man-in-the-middle attacks between the pyOpenSSL-using client and SSL servers.

[1] https://mail.python.org/pipermail/pyopenssl-users/2013-September/000478.html
Comment 1 Vincent Danen 2013-09-06 22:13:22 UTC 
Created pyOpenSSL tracking bugs for this issue:

Affects: fedora-all [bug 1005428]
Comment 2 Henri Salo 2013-09-07 05:58:02 UTC 
Please use CVE-2013-4314 for this issue.
Comment 3 Vincent Danen 2013-09-08 14:26:46 UTC 
CVE assignment:

http://www.openwall.com/lists/oss-security/2013/09/06/2
Comment 5 Huzaifa S. Sidhpurwala 2013-09-10 06:15:41 UTC 
Upstream patch:

http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/revision/169
Comment 11 Tomas Hoger 2014-04-24 10:07:22 UTC 
The underlying problem exists in pyOpenSSL versions shipped in Red Hat Enterprise Linux 5 and 6.  However, it is not exposed in those versions.

Upstream pyOpenSSL version 0.12 added get_extension() method for the X509 type, which allows reading certificate extensions (as X509Extension) from certificates, for example a certificate presented by remote SSL/TLS connection peer.  This functionality is not available in earlier versions.

In older versions, it is only possible to construct X509Extension object in the code by specifying its type, whether it's critical, and its value.  The intended use of this functionality is during certificate creation.  However, it is not possible to create X509Extension with value containing NUL byte.  Parameter to the X509Extension constructor is parsed using python's PyArg_ParseTupleAndKeywords() using 's' format for the value parameter, which does not allow strings with embedded NUL bytes.

https://docs.python.org/2/c-api/arg.html

Note that get_extension() available in newer pyOpenSSL versions does not seem to be used often - no component in upcoming Red Hat Enterprise Linux 7 uses that functionality.  Additionally, string representation of subjectAltName X509Extension would require further parsing before it can be used in any hostname identity check.  pyOpenSSL does not implement such checks.

Statement:

Not vulnerable. This issue did not affect the versions of pyOpenSSL as shipped with Red Hat Enterprise Linux 5 and 6.