Bug 1016832 - (CVE-2013-4566) CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context
CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory con...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131203,repor...
: Security
Depends On: 989724 1024536 1030264 1030265 1030267 1030268 1030270 1037722 1037761
Blocks: 830846
  Show dependency treegraph
 
Reported: 2013-10-08 15:07 EDT by Tomas Hoger
Modified: 2015-10-15 14:02 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-13 04:55:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-10-08 15:07:42 EDT
A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive).  If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication.  Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.

Documentation of mod_nss configuration directives, including NSSVerifyClient:

https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives

As mod_nss is derived form mod_ssl, NSSVerifyClient is meant to be functionally equivalent to mod_ssl's SSLVerifyClient:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
Comment 7 Tomas Hoger 2013-11-19 11:29:56 EST
Acknowledgment:

Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this issue.
Comment 9 Vincent Danen 2013-12-03 11:32:22 EST
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1037722]
Comment 10 errata-xmlrpc 2013-12-03 11:41:05 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1779 https://rhn.redhat.com/errata/RHSA-2013-1779.html
Comment 11 Tomas Hoger 2013-12-04 14:43:15 EST
Patch as applied to Fedora mod_nss packages:

http://pkgs.fedoraproject.org/cgit/mod_nss.git/tree/mod_nss-nssverifyclient.patch?id=63709b8

Not yet merged in mod_nss upstream repository.
Comment 12 Fedora Update System 2013-12-13 00:03:51 EST
mod_nss-1.0.8-27.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-12-13 00:04:57 EST
mod_nss-1.0.8-27.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-12-13 22:03:25 EST
mod_nss-1.0.8-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.