Bug 1678313 (CVE-2019-3890)

Summary: CVE-2019-3890 evolution-ews: all certificate errors ignored if error is ignored during initial account setup in gnome-online-accounts
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mcrha
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: evolution-ewx 3.31.3 Doc Type: If docs needed, set a value
Doc Text:
It was discovered evolution-ews does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1678314, 1696760, 1696761, 1696762, 1696763    
Bug Blocks: 1678315    

Description msiddiqu 2019-02-18 13:35:20 UTC 
Evolution Exchange Web Services can silently ignore *all* certificate errors if configured to ignore an initial error in gnome-online-accounts creation. This renders transport security worse than zero as it does not even indicate (logs or UI) that a questionable certificate was presented, leaving the connection open to being viewed and modified.

Upstream issue:

https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
Comment 1 msiddiqu 2019-02-18 13:35:33 UTC 
Created evolution-ews tracking bugs for this issue:

Affects: fedora-all [bug 1678314]
Comment 2 Milan Crha 2019-02-18 14:29:01 UTC 
Thanks for a bug report. The upstream bug had been marked as a duplicate of an older bug there. I'd prefer not to duplicate the work here, also because the upstream changes are not tested yet and because the change requires changes on the evolution-data-server side as well. I'd commit it to the stable version already otherwise.
Comment 9 Riccardo Schirone 2019-04-05 14:45:41 UTC 
Upstream patch:
https://gitlab.gnome.org/GNOME/evolution-ews/commit/915226eca9454b8b3e5adb6f2fff9698451778de
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/6672b8236139bd6ef41ecb915f4c72e2a052dba5
Comment 10 Riccardo Schirone 2019-04-05 14:48:28 UTC 
Upstream issue:
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
Comment 11 Riccardo Schirone 2019-04-05 15:02:39 UTC 
According to https://gitlab.gnome.org/GNOME/evolution-ews/issues/27, evolution-ews does not validate SSL certificate at all.
Comment 13 errata-xmlrpc 2019-11-05 22:05:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3699 https://access.redhat.com/errata/RHSA-2019:3699
Comment 14 Product Security DevOps Team 2019-11-06 00:52:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3890
Comment 15 errata-xmlrpc 2020-03-31 19:21:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1080 https://access.redhat.com/errata/RHSA-2020:1080