Bug 1017197 (CVE-2011-4973) - CVE-2011-4973 mod_nss: FakeBasicAuth authentication bypass
Summary: CVE-2011-4973 mod_nss: FakeBasicAuth authentication bypass
Alias: CVE-2011-4973
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 702437 749402 1017675 1022921
Blocks: 830846
TreeView+ depends on / blocked
Reported: 2013-10-09 12:26 UTC by Tomas Hoger
Modified: 2019-09-29 13:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-11-14 21:52:01 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2013-10-09 12:26:46 UTC
A flaw was reported in the way mod_nss handled FakeBasicAuth NSSOption.  Unlike mod_ssl, mod_nss only used CommonName from a client certificate's subject, rather than the whole subject DN.  This made safety check inherited from mod_ssl that ensured client can not submit username and password generated by FakeBasicAuth via Authorization header without actually providing valid client certificate.  Further details are in the Jared Jennings' post to the mod_nss mailing list:


Problem was corrected in the following upstream git commit:


This fix is not yet included in any released mod_nss version.  The last released version to date is 1.0.8 from Jul 2008.

This problem was already corrected in Red Hat Enterprise Linux 5 and 6 mod_nss packages via the following errata:


Comment 1 Tomas Hoger 2013-10-09 12:38:17 UTC
It should be noted that after the fix, any htpasswd file that was created for use with older mod_nss version (i.e. file that only contains CN for user name) need to be changed to use full DN.  This is required to both make authentication work for valid users authenticating using client certificates, as well as to address the authentication bypass.

Comment 2 Ratul Gupta 2013-10-10 10:21:59 UTC
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1017675]

Note You need to log in before you can comment on or make changes to this bug.