Bug 632114 (CVE-2011-1094)

Summary: CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jreznik, mjc, security-response-team, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-22 13:33:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 695662, 695663    
Bug Blocks:    
Attachments:
Description Flags
Possible fix none

Description Tomas Hoger 2010-09-09 08:10:57 UTC 
Konqueror / kio_http does not check connection host name against names in SSL certificate correctly.  Besides accepting certificates that have user-supplied host name listed as Common Name or one of the Subject Alternate Names, it also also treats certificate as matching requested side if the certificate was issued for an IP address user-specified host name resolved to.  An attacker able to hijack or poison victim's DNS can use this flaw to perform MITM attack against victim's SSL connections.
Comment 1 Tomas Hoger 2010-09-09 08:16:08 UTC 
The problem seems to be in KIO::TCPSlaveBase.  TCPSlaveBase::connectToHost resolves host name to IP address(es) and uses IP to connect using QSslSocket.  This is expected to result in HostNameMismatch certificate verification error, hence TCPSlaveBase::startTLSInternal implements its own custom host <-> certificate name checking.  However, when server certificate was issued for the IP used to connect, no HostNameMismatch error is reported and the certificate is accepted as matching requested host.
Comment 3 Tomas Hoger 2010-10-07 12:34:27 UTC 
Created attachment 452097 [details]
Possible fix

Possible fix for this issue.  It has to be applied after wildcard handling fixes mentioned in bug #630063, comment #17.  Review appreciated.
Comment 6 Tomas Hoger 2011-01-31 14:59:24 UTC 
(In reply to comment #3)
> Possible fix for this issue.  It has to be applied after wildcard handling
> fixes mentioned in bug #630063, comment #17.  Review appreciated.

Now committed in upstream git:
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/23621737060e4df0fba238c25fb5b65f81181971

Required previous commit after upstream SVN->git migration:
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/078eba4692a0fcf29de077db3972bf56a1702ae2
Comment 7 Tomas Hoger 2011-03-09 09:58:32 UTC 
Patch is included in kdelibs 4.6.1.
Comment 10 errata-xmlrpc 2011-04-21 16:57:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0464 https://rhn.redhat.com/errata/RHSA-2011-0464.html