Bug 889373 (CVE-2012-5662)

Summary: CVE-2012-5662 x3270: does not properly validate SSL certificates
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dhorak, fweimer, pmattes-bugzilla, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:58:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 924183, 980316    
Bug Blocks: 889374    

Description Vincent Danen 2012-12-21 00:18:10 UTC 
Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates.  If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate.

For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host:

$ gnutls-cli bad.ssl.host; echo $?
...
- The hostname in the certificate does NOT match 'bad.ssl.host'
1

vs.

$ pr3287 L:bad.ssl.host:443; echo $?
0

Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case).

The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it.  The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.
Comment 1 Vincent Danen 2012-12-21 17:18:10 UTC 
Version 3.3.12 is the first version that actually started doing SSL certificate verification.


Statement:

Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.
Comment 2 Vincent Danen 2012-12-21 17:23:20 UTC 
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix.  Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.
Comment 3 Stefan Cornelius 2013-03-21 10:36:40 UTC 
Public now and updated upstream packages are available:
http://sourceforge.net/projects/x3270/files/x3270/3.3.12ga12/
Comment 4 Stefan Cornelius 2013-03-21 10:46:52 UTC 
Created x3270 tracking bugs for this issue

Affects: fedora-all [bug 924183]