Bug 457113 - (CVE-2008-3270) CVE-2008-3270 yum-rhn-plugin: does not verify SSL certificate for all communication with RHN server
CVE-2008-3270 yum-rhn-plugin: does not verify SSL certificate for all communi...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20080310,publi...
: Security
Depends On: 436804 457190 457191
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-29 13:55 EDT by Tomas Hoger
Modified: 2013-01-10 05:25 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-13 10:31:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-29 13:55:19 EDT
It was discovered that yum-rhn-plugin does not always properly verify SSL
certificate against configured trusted CA certificate when communicating with
Red Hat Network (RHN) server.  SSL certificate was properly verified for XML-RPC
communication, but the check was not applied to the file downloads.

This can possibly simplify man-in-the-middle attacks, allowing attacker to
provide users with crafted repository meta-data files or RPM packages.  However,
GPG signatures are applied before installing any package, so an attacker could
not use this to trick user to install packages from an untrusted source.
Comment 13 Mark J. Cox (Product Security) 2008-08-14 05:02:28 EDT
Note also that the a successful attacker could also not cause existing installed packages to be downgraded to older versions.  So a successful attack could only 1) provide the victim with older but official Red Hat packages which the user did not already have installed, or deny them the ability to update specific packages.  (However as the attacker has to be in the middle of the conversation to exploit this flaw they could perform a similar denial attack without exploiting this issue).  

CVSS2 score of low, 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Comment 14 Mark J. Cox (Product Security) 2008-08-14 05:03:25 EDT
This issue only affected Red Hat Enterprise Linux 5, and not the package update mechanism as shipped with Red Hat Enterprise Linux 2.1, 3, and 4.
Comment 16 Josh Bressers 2008-08-14 08:58:10 EDT
Lifting embargo
Comment 17 Josh Bressers 2008-08-14 09:38:51 EDT
Acknowledgements:

Red Hat would like to thank Justin Cappos and Justin Samuel for discussing
various package update mechanism flaws which led to our discovery of this
issue.
Comment 18 Red Hat Product Security 2008-11-13 10:31:03 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0815.html

Note You need to log in before you can comment on or make changes to this bug.