Bug 1994998 (CVE-2021-38165) - CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data
Summary: CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data
Keywords:
Status: NEW
Alias: CVE-2021-38165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1996024 1996025 1994999
Blocks: 1995001
TreeView+ depends on / blocked
 
Reported: 2021-08-18 09:27 UTC by Marian Rehak
Modified: 2021-08-25 11:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way lynx parsed URLs with userinfo part containing authentication credentials. These credentials were included in the Server Name Indication (SNI) TLS extension data and sent unencrypted during the TLS connection handshake. This could lead to exposure of authentication credentials to attackers able to eavesdrop on network connection between the lynx browser and the server.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Upstream patch (1.05 KB, patch)
2021-08-19 14:50 UTC, Tomas Hoger
no flags Details | Diff

Description Marian Rehak 2021-08-18 09:27:57 UTC
Mishandling the userinfo subcomponent of a URI allows remote attackers to discover cleartext credentials because they may appear in SNI data.

References:

https://lynx.invisible-island.net/current/CHANGES.html#v2.9.0dev.9
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971

Comment 1 Marian Rehak 2021-08-18 09:28:55 UTC
Created lynx tracking bugs for this issue:

Affects: fedora-all [bug 1994999]

Comment 2 Tomas Hoger 2021-08-19 14:50:02 UTC
Created attachment 1815719 [details]
Upstream patch

Extracted from lynx 2.9.0dev.9.

Comment 3 Tomas Hoger 2021-08-20 10:46:44 UTC
This issue was caused by incorrect extraction of server host names from URLs for use during TLS/SSL connection handshakes.  If URL contained userinfo part, i.e. authentication credentials, embedded in URLs as http://user:password@server.name, the extracted hostname included not only "server.name", but also the credentials part "user:password@server.name".  This value was used during verification of server identity and would often cause verification to fail due to connection hostname not matching name stored in server certificate.  Verification could still succeed for wild card certificates.  The value was also included as part of the Server Name Indication (SNI) TLS extension data and sent unencrypted as part of the Client Hello packet during the TLS connection handshake.  This is how authentication credentials could have been exposed to an attacker able to eavesdrop on the network connection between the lynx browser and the server.

This issue did not affect lynx version in Red Hat Enterprise Linux 6, as SNI support was first added to lynx in version 2.8.7pre2:

https://lynx.invisible-island.net/current/CHANGES.html#v2.8.7pre.2

Comment 7 Tomas Hoger 2021-08-23 20:41:30 UTC
Note that this issue can not be exploited by having a victim visit a malicious URL or page prepared by an attacker, as such URL or any link on such page would only contain credentials already known to an attacker.  The issue is only relevant in cases when a user uses lynx to access some trusted URL with credentials included as part of the URL, e.g. by following such link form some "bookmark" page.  Hence an information leak can only happen when victim performs a specific action that is out of attacker's control.


Note You need to log in before you can comment on or make changes to this bug.