Bug 497983 (CVE-2009-1417)
Summary: | CVE-2009-1417 gnutls: certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | berrange, jorton, mjc, rjones, tmraz, vdanen | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-08-11 08:14:57 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 504791 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tomas Hoger
2009-04-28 08:59:13 UTC
Created attachment 341539 [details]
Upstream patch
For testing purposes, upstream has set up few testing URLs with expired certificates: https://expired.demo.gnutls.org/ - Expired server certificate https://expired-subca.demo.gnutls.org/ - Expire intermediate certificate, server return intermediate CA https://expired-subca2.demo.gnutls.org/ - Expire intermediate certificate server does not return intermediate CA Can be tested using: gnutls-cli expired.demo.gnutls.org GnuTLS is shipped in Red Hat Enterprise Linux 4 and 5. Applications using GnuTLS' certificate verification (libsoup, libvirt, gtk-vnc) already perform activation / expiration date checks. gnutls-cli command line tool is affected by this problem. The impact of this flaw is limited (besides having expired certificate, attacker would need to have associated private key as well and trick user to connect to spoofed SSL/TLS server), and the fix introduces backwards incompatible change. Future updates of gnutls packages in Red Hat Enterprise Linux 4 and 5 may include this change. Public now via upstream security advisory: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517 Fix included in upstream version 2.6.6: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3514 gnutls-cli is documented as a "test program" so I'd struggle to call this a security issue there. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1417 to the following vulnerability: Name: CVE-2009-1417 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417 Assigned: 20090424 Reference: MLIST:[gnutls-devel] 20090430 Certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3] [CVE-2009-1417] Reference: URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517 Reference: SECUNIA:34842 Reference: URL: http://secunia.com/advisories/34842 gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup. This was further discussed internally and it was decided not to backport this change to Red Hat Enterprise Linux 4 and 5. This fix changes documented behaviour, possibly creating a regression for applications that performed all required checks previously (they will no longer report expired / not yet active certificates correctly, rather use generic SSL verification error). Given the low impact of the flaw and the API-breaking nature of the fix, we do not plan to fix this flaw in already released product versions. Future versions containing newer upstream GnuTLS versions will include this fix. |