Bug 571817 (CVE-2010-1192, CVE-2010-1194)

Summary: CVE-2010-1192 CVE-2010-1194 libESMTP: Multiple certificate validation flaws
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jskarvad, pawsa, pertusus, rz, salek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://ioactive.com/pdfs/PKILayerCake.pdf
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-30 10:53:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 571839, 571844, 1114552    
Bug Blocks:    
Attachments:
Description Flags
Local copy of libesmtp-match-component-DBTS#311191 patch
none
Local copy of proposed libESMTP SSL patch by Ludwig Nussel of SUSE
none
Proposed fix from Pawel Salek from yesterday none

Description Jan Lieskovsky 2010-03-09 16:09:44 UTC 
Issue 1, 
--------

Kees Cook from Ubuntu Security Team pointed out:
    [1] http://www.openwall.com/lists/oss-security/2010/03/03/6 

that libesmtp is prone to similar attack as CVE-2009-2408
for Firefox / NSS was:
    [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
    [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2408 

Dan Kaminsky in his research paper:
    [4] http://ioactive.com/pdfs/PKILayerCake.pdf 

details inconsistencies in the interpretation of subject
x509 names in certificates. Specifically "issue 2, attack 2c"
regarding NULL terminators in a Common Name field.  An attacker
could create a malicious certificate containing a NULL,
which, if they were able to get it signed, could confuse
a client into accepting it by mistake.

Issue 2,
--------
Martin Lambers in relevant Debian bug report:
    [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

pointed out that (quoting from [5]):

"match_component() will accept two strings as equal if they
start equal but don't have equal length. For example, match_domain("mail.example.com", "mailhub.example.com") and
match_domain("mail.somewhere.com", "mail.somewhere-else.com") 
return 1, not 0."

CVE Request:
------------
    [6] http://www.openwall.com/lists/oss-security/2010/03/03/6
Comment 1 Jan Lieskovsky 2010-03-09 16:31:08 UTC 
Created attachment 398839 [details]
Local copy of libesmtp-match-component-DBTS#311191 patch

Local copy of libESMTP match_component() patch, as applied
in Debian (Debian BTS#311191). Extracted from:
  http://us.archive.ubuntu.com/ubuntu/pool/universe/libe/libesmtp/libesmtp_1.0.4-2.diff.gz
Comment 5 Jan Lieskovsky 2010-03-10 16:31:15 UTC 
Post with proposed patch from Ludwig Nussel of SUSE:
  [7] http://www.openwall.com/lists/oss-security/2010/03/10/3
Comment 6 Jan Lieskovsky 2010-03-10 16:34:15 UTC 
Created attachment 399130 [details]
Local copy of proposed libESMTP SSL patch by Ludwig Nussel of SUSE
Comment 7 Jan Lieskovsky 2010-03-10 16:39:39 UTC 
Created attachment 399131 [details]
Proposed fix from Pawel Salek from yesterday
Comment 8 Tomas Hoger 2010-03-12 08:31:45 UTC 
There's still on-going discussion about the fix for this issue:
  http://thread.gmane.org/gmane.comp.security.oss.general/2637
Comment 9 Jan Lieskovsky 2010-03-31 18:11:15 UTC 
Common Vulnerabilities and Exposures assigned following identifiers
to these issues:

A, CVE-2010-1192

libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field of
an X.509 certificate, which allows man-in-the-middle attackers to
spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408.

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1192
  [2] http://www.openwall.com/lists/oss-security/2010/03/03/6
  [3] http://www.openwall.com/lists/oss-security/2010/03/09/3

B, CVE-2010-1194

The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and
possibly other versions including 1.0.4, treats two strings as equal
if one is a substring of the other, which allows remote attackers to
spoof trusted certificates via a crafted subjectAltName.

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1194
  [2] http://www.openwall.com/lists/oss-security/2010/03/03/6
  [3] http://www.openwall.com/lists/oss-security/2010/03/09/3
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
Comment 10 Richard Z. 2013-12-27 21:00:28 UTC 
Should this bug be closed now that there are much newer versions of libESMTP?

Changelog (http://www.stafford.uklinux.net/libesmtp/ChangeLog.txt) mentions related changes though I did not look at the implementation details.
Comment 11 Tomas Hoger 2014-06-30 10:51:57 UTC 
(In reply to Richard Zidlicky from comment #10)
> Should this bug be closed now that there are much newer versions of libESMTP?

It does not seem this ever got fixed in EPEL-5.
Comment 12 Tomas Hoger 2014-06-30 10:52:16 UTC 
Created libesmtp tracking bugs for this issue:

Affects: epel-5 [bug 1114552]
Comment 13 Tomas Hoger 2014-06-30 10:53:42 UTC 
The libesmtp packages in the Red Hat Enterprise Linux 6 were fixed before the initial product release.