Bug 1016832 (CVE-2013-4566) - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context
Summary: CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory con...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 989724 1024536 1030264 1030265 1030267 1030268 1030270 1037722 1037761
Blocks: 830846
TreeView+ depends on / blocked
 
Reported: 2013-10-08 19:07 UTC by Tomas Hoger
Modified: 2019-09-29 13:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-13 09:55:47 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1779 normal SHIPPED_LIVE Moderate: mod_nss security update 2013-12-03 21:39:53 UTC

Description Tomas Hoger 2013-10-08 19:07:42 UTC 
A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive).  If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication.  Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.

Documentation of mod_nss configuration directives, including NSSVerifyClient:

https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives

As mod_nss is derived form mod_ssl, NSSVerifyClient is meant to be functionally equivalent to mod_ssl's SSLVerifyClient:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
Comment 7 Tomas Hoger 2013-11-19 16:29:56 UTC 
Acknowledgment:

Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this issue.
Comment 9 Vincent Danen 2013-12-03 16:32:22 UTC 
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1037722]
Comment 10 errata-xmlrpc 2013-12-03 16:41:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1779 https://rhn.redhat.com/errata/RHSA-2013-1779.html
Comment 11 Tomas Hoger 2013-12-04 19:43:15 UTC 
Patch as applied to Fedora mod_nss packages:

http://pkgs.fedoraproject.org/cgit/mod_nss.git/tree/mod_nss-nssverifyclient.patch?id=63709b8

Not yet merged in mod_nss upstream repository.
Comment 12 Fedora Update System 2013-12-13 05:03:51 UTC 
mod_nss-1.0.8-27.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-12-13 05:04:57 UTC 
mod_nss-1.0.8-27.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-12-14 03:03:25 UTC 
mod_nss-1.0.8-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.