Bug 1016832 (CVE-2013-4566)

Summary: CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alee, awnuk, cfu, dpal, jkurik, jmagne, mharmsen, nkinder, pfrields, rcritten, rmeggins, security-response-team, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-13 09:55:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 989724, 1024536, 1030264, 1030265, 1030267, 1030268, 1030270, 1037722, 1037761    
Bug Blocks: 830846    

Description Tomas Hoger 2013-10-08 19:07:42 UTC 
A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive).  If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication.  Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.

Documentation of mod_nss configuration directives, including NSSVerifyClient:

https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives

As mod_nss is derived form mod_ssl, NSSVerifyClient is meant to be functionally equivalent to mod_ssl's SSLVerifyClient:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
Comment 7 Tomas Hoger 2013-11-19 16:29:56 UTC 
Acknowledgment:

Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this issue.
Comment 9 Vincent Danen 2013-12-03 16:32:22 UTC 
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1037722]
Comment 10 errata-xmlrpc 2013-12-03 16:41:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1779 https://rhn.redhat.com/errata/RHSA-2013-1779.html
Comment 11 Tomas Hoger 2013-12-04 19:43:15 UTC 
Patch as applied to Fedora mod_nss packages:

http://pkgs.fedoraproject.org/cgit/mod_nss.git/tree/mod_nss-nssverifyclient.patch?id=63709b8

Not yet merged in mod_nss upstream repository.
Comment 12 Fedora Update System 2013-12-13 05:03:51 UTC 
mod_nss-1.0.8-27.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-12-13 05:04:57 UTC 
mod_nss-1.0.8-27.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-12-14 03:03:25 UTC 
mod_nss-1.0.8-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.