Bug 688755 (CVE-2011-1429)

Summary: CVE-2011-1429 mutt: SSL host name check may be skipped when verifying certificate chain
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, mlichvar, ovasik, pertusus
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 688756, 716889, 716890    
Bug Blocks: 716430    
Attachments:
Description Flags
proposed patch - always check the first cert in chain none

Description Vincent Danen 2011-03-17 22:13:36 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1429 to
the following vulnerability:

Name: CVE-2011-1429
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429
Assigned: 20110316
Reference: http://seclists.org/fulldisclosure/2011/Mar/87
Reference: http://www.securityfocus.com/bid/46803
Reference: http://xforce.iss.net/xforce/xfdb/66015

Mutt does not verify that the smtps server hostname matches the domain
name of the subject of an X.509 certificate, which allows
man-in-the-middle attackers to spoof an SSL SMTP server via an
arbitrary certificate, a different vulnerability than CVE-2009-3766.
Comment 1 Vincent Danen 2011-03-17 22:14:33 UTC 
Created mutt tracking bugs for this issue

Affects: fedora-all [bug 688756]
Comment 2 Jan Lieskovsky 2011-03-22 17:13:45 UTC 
Upstream bug report:

http://dev.mutt.org/trac/ticket/3506
Comment 3 Honza Horak 2011-05-26 13:57:26 UTC 
Created attachment 501098 [details]
proposed patch - always check the first cert in chain
Comment 9 Tomas Hoger 2011-06-27 11:00:34 UTC 
As noted in the upstream bug report and later posts in the full-disclosure thread, this problem is not restricted to SMTP SSL connections as initial report and CVE description indicate, but rather is an SSL verification problem affecting other protocols (IMAP, POP3) too, and only affects mutt versions built with GnuTLS, and not OpenSSL.  The problem is caused by a bug in the code performing verifications of SSL certificate chain, that may cause host name check failure to be ignored if certificate was issued by a trusted CA.

This affected mutt in Red Hat Enterprise Linux 6.  The mutt versions in Red Hat Enterprise Linux 4 and 5 are built with OpenSSL, but they do not yet implement any host name checking (see bug #531011).
Comment 11 Tomas Hoger 2011-06-27 11:17:44 UTC 
(In reply to comment #3)
> Created attachment 501098 [details]
> proposed patch - always check the first cert in chain

It seem the change as not been committed upstream yet, even though it was proposed a while ago.  Were there any concerns upstream regarding this fix?  Do we want to wait a bit longer for it to be accepted?
Comment 14 errata-xmlrpc 2011-07-19 18:02:01 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0959 https://rhn.redhat.com/errata/RHSA-2011-0959.html