|Summary:||CVE-2012-5662 x3270: does not properly validate SSL certificates|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||dhorak, fweimer, pmattes-bugzilla, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2021-10-19 21:58:13 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||924183, 980316|
Description Vincent Danen 2012-12-21 00:18:10 UTC
Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates. If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate. For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host: $ gnutls-cli bad.ssl.host; echo $? ... - The hostname in the certificate does NOT match 'bad.ssl.host' 1 vs. $ pr3287 L:bad.ssl.host:443; echo $? 0 Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case). The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it. The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.
Comment 1 Vincent Danen 2012-12-21 17:18:10 UTC
Version 3.3.12 is the first version that actually started doing SSL certificate verification. Statement: Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.
Comment 2 Vincent Danen 2012-12-21 17:23:20 UTC
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix. Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.
Comment 3 Stefan Cornelius 2013-03-21 10:36:40 UTC
Public now and updated upstream packages are available: http://sourceforge.net/projects/x3270/files/x3270/3.3.12ga12/