Bug 1109999 (CVE-2014-3495)

Summary: CVE-2014-3495 duplicity: improper verification of SSL certificates
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, henri, metherid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:33:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110003, 1110004    
Bug Blocks:    

Description Vincent Danen 2014-06-16 19:45:26 UTC
Eric Christensen of Red Hat Product Security reported [1] that Duplicity did not handle wildcard certificates properly.  If Duplicity were to connect to a remote host that used a wildcard certificate, and the hostname does not match the wildcard, it would still consider the connection valid.  The example of which is provided:

$ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

In this instance, the domain being connected to is not *.s3.amazonaws.com, but s3-1-w.amazonaws.com.  There is currently no upstream fix.

[1] https://bugs.launchpad.net/duplicity/+bug/1314234


Acknowledgements:

This issue was discovered by Eric Christensen of Red Hat Product Security.

Comment 1 Vincent Danen 2014-06-16 19:49:57 UTC
Created duplicity tracking bugs for this issue:

Affects: fedora-all [bug 1110003]
Affects: epel-all [bug 1110004]

Comment 2 Henri Salo 2014-06-18 19:44:14 UTC
Do you have information why https://bugs.launchpad.net/duplicity/+bug/1314234 does not work? Is this embargoed issue?

Comment 3 Vincent Danen 2014-06-18 21:00:47 UTC
Indeed it is.  I don't know why it still is.  We had communicated quite clearly that we didn't want to sit on this forever and had a deadline that we missed twice I think.  When this bug was filed public, I let them know so I'm not sure why they've not opened it up yet.

Comment 4 Rahul Sundaram 2014-06-19 15:12:17 UTC
Not sure I can do much without an upstream fix.  So I guess I will just wait unless someone else provides a patch

Comment 5 Henri Salo 2014-06-19 15:32:15 UTC
I contacted upstream. Reference URL is now open.

Comment 6 Rahul Sundaram 2014-06-19 16:03:28 UTC
Subscribed.  Thanks!

Comment 7 Product Security DevOps Team 2019-06-08 02:33:38 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.