Red Hat Bugzilla – Bug 1005325
CVE-2013-4314 pyOpenSSL: hostname check bypassing vulnerability
Last modified: 2016-04-26 12:11:11 EDT
The pyOpenSSL module implements hostname identity checks but it did not properly handle hostnames in the certificate that contain null bytes. In all releases prior to 0.13.1, the string formatting of subjectAltName X509Extension instances incorrectly truncated fields of the name when encountering the null byte.
When a CA than an SSL client trusts issues a server certificate that has a null byte in the subjectAltName, remote attackers can obtain a certifcate for 'www.foo.org\0.example.com' from the CA to spoof 'www.foo.org' and conduct man-in-the-middle attacks between the pyOpenSSL-using client and SSL servers.
Created pyOpenSSL tracking bugs for this issue:
Affects: fedora-all [bug 1005428]
Please use CVE-2013-4314 for this issue.
The underlying problem exists in pyOpenSSL versions shipped in Red Hat Enterprise Linux 5 and 6. However, it is not exposed in those versions.
Upstream pyOpenSSL version 0.12 added get_extension() method for the X509 type, which allows reading certificate extensions (as X509Extension) from certificates, for example a certificate presented by remote SSL/TLS connection peer. This functionality is not available in earlier versions.
In older versions, it is only possible to construct X509Extension object in the code by specifying its type, whether it's critical, and its value. The intended use of this functionality is during certificate creation. However, it is not possible to create X509Extension with value containing NUL byte. Parameter to the X509Extension constructor is parsed using python's PyArg_ParseTupleAndKeywords() using 's' format for the value parameter, which does not allow strings with embedded NUL bytes.
Note that get_extension() available in newer pyOpenSSL versions does not seem to be used often - no component in upcoming Red Hat Enterprise Linux 7 uses that functionality. Additionally, string representation of subjectAltName X509Extension would require further parsing before it can be used in any hostname identity check. pyOpenSSL does not implement such checks.
Not vulnerable. This issue did not affect the versions of pyOpenSSL as shipped with Red Hat Enterprise Linux 5 and 6.