Bug 1994998 (CVE-2021-38165)
| Summary: | CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | kdudka, svashisht | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: |
A flaw was found in the way lynx parsed URLs with userinfo part containing authentication credentials. These credentials were included in the Server Name Indication (SNI) TLS extension data and sent unencrypted during the TLS connection handshake. This could lead to exposure of authentication credentials to attackers able to eavesdrop on network connection between the lynx browser and the server.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-05-11 20:45:15 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1994999, 1996024, 1996025 | ||||||
| Bug Blocks: | 1995001 | ||||||
| Attachments: |
|
||||||
|
Description
Marian Rehak
2021-08-18 09:27:57 UTC
Created lynx tracking bugs for this issue: Affects: fedora-all [bug 1994999] Created attachment 1815719 [details]
Upstream patch
Extracted from lynx 2.9.0dev.9.
This issue was caused by incorrect extraction of server host names from URLs for use during TLS/SSL connection handshakes. If URL contained userinfo part, i.e. authentication credentials, embedded in URLs as http://user:password@server.name, the extracted hostname included not only "server.name", but also the credentials part "user:password". This value was used during verification of server identity and would often cause verification to fail due to connection hostname not matching name stored in server certificate. Verification could still succeed for wild card certificates. The value was also included as part of the Server Name Indication (SNI) TLS extension data and sent unencrypted as part of the Client Hello packet during the TLS connection handshake. This is how authentication credentials could have been exposed to an attacker able to eavesdrop on the network connection between the lynx browser and the server. This issue did not affect lynx version in Red Hat Enterprise Linux 6, as SNI support was first added to lynx in version 2.8.7pre2: https://lynx.invisible-island.net/current/CHANGES.html#v2.8.7pre.2 Note that this issue can not be exploited by having a victim visit a malicious URL or page prepared by an attacker, as such URL or any link on such page would only contain credentials already known to an attacker. The issue is only relevant in cases when a user uses lynx to access some trusted URL with credentials included as part of the URL, e.g. by following such link form some "bookmark" page. Hence an information leak can only happen when victim performs a specific action that is out of attacker's control. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:2129 https://access.redhat.com/errata/RHSA-2022:2129 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-38165 |