Bug 484925 (CVE-2009-0547) - CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
Summary: CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be v...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0547
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Depends On: 488280 488281 488439 488440 488441 488442
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-10 18:20 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:28 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-20 07:51:15 UTC
Embargoed:


Attachments (Terms of Use)
Newly created message for testing of revised patch. (2.18 KB, application/x-pkcs7-signature)
2009-03-05 12:29 UTC, Jan Lieskovsky
no flags Details
Original S/MIME message. (2.17 KB, application/x-pkcs7-signature)
2009-03-06 14:03 UTC, Jan Lieskovsky
no flags Details
Modified S/MIME e-mail message with invalid signature. (2.18 KB, application/x-pkcs7-signature)
2009-03-06 14:04 UTC, Jan Lieskovsky
no flags Details
The CA certificate && private key to check the signatures against. (1.84 KB, application/x-pkcs7-signature)
2009-03-06 14:05 UTC, Jan Lieskovsky
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0354 0 normal SHIPPED_LIVE Moderate: evolution-data-server security update 2009-03-16 14:36:55 UTC
Red Hat Product Errata RHSA-2009:0355 0 normal SHIPPED_LIVE Moderate: evolution and evolution-data-server security update 2009-03-16 14:47:33 UTC

Description Jan Lieskovsky 2009-02-10 18:20:01 UTC
A man-in-the-middle-attack possibility was found in the way evolution
handles the Secure / Multipurpose Internet Mail Extensions (S/MIME) mail messages. If the S/MIME email was sign, the email message subsequently
modified, evolution would consider the S/MIME message signature to be valid
even for such a modified message. An attacker could use this flaw to
modify the emails (message integrity violation) between communicating part.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479

Comment 1 Jan Lieskovsky 2009-02-10 18:22:54 UTC
This issue does NOT affect the version of the evolution package,
as shipped with Red Hat Enteprise Linux 3.

This issue affects the versions of the evolution package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the evolution package, as shipped
with Fedora releases of 9, 10 and devel.

Comment 2 Jan Lieskovsky 2009-02-10 18:26:41 UTC
PoC:

Signer certificate:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=key.pem;att=1;bug=508479

Original message (with valid S/MIME signature):
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=testmail.out;att=2;bug=508479

Modified message (S/MIME signature is also considered to be valid):
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=testmail.out2;att=3;bug=508479

Comment 3 Jan Lieskovsky 2009-02-10 18:27:37 UTC
Upstream bug report:
http://bugzilla.gnome.org/show_bug.cgi?id=564465

Comment 5 Jan Lieskovsky 2009-02-10 18:32:29 UTC
Steps to reproduce:
1. Import the CA in the certificates store
2. Import the mail in an evolution folder

Comment 7 Matthew Barnes 2009-02-10 23:31:31 UTC
Investigated this today and posted my findings here:
http://bugzilla.gnome.org/show_bug.cgi?id=564465#c3

But I really need to talk to someone familiar with the NSS API.

Comment 8 Nalin Dahyabhai 2009-02-11 05:01:04 UTC
The signed-data blob actually contains a copy of the plaintext embedded inside of it, and it's over that that the signatures were generated.  Changing a second copy of the plaintext doesn't invalidate that signature.

If I'm reading the code right, it takes this into account and attempts to recompute the digests for the signed-data item using the plaintext which it will be displaying to the user.  It overwrites the values in the signed-data item by calling NSS_CMSSignedData_SetDigests().

It looks like NSS_CMSSignedData_SetDigests() doesn't replace any already-computed or included digest values, and that's the root of the problem.

Assuming that's the correct behavior in NSS, looping through the digest types, calling NSS_CMSSignedData_SetDigestValue() for each, seems to provide the expected result.

Comment 9 Nalin Dahyabhai 2009-02-11 05:31:33 UTC
Matt's corrected me -- the existing code only attempts to set the digest in the signed-data item if it finds none.

Comment 18 Vincent Danen 2009-02-12 23:12:46 UTC
This has been assigned CVE-2009-0547:

Name: CVE-2009-0547
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0547
Assigned: 20090212
Reference: MLIST:[oss-security] 20090210 CVE Request -- evolution
Reference: URL: http://openwall.com/lists/oss-security/2009/02/10/7
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479
Reference: CONFIRM: http://bugzilla.gnome.org/show_bug.cgi?id=564465
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=484925
Reference: BID:33720
Reference: URL: http://www.securityfocus.com/bid/33720
Reference: SECUNIA:33848
Reference: URL: http://secunia.com/advisories/33848

Evolution 2.22.3.1 checks S/MIME signatures against a copy of the
e-mail text within a signed-data blob, not the copy of the e-mail text
displayed to the user, which allows remote attackers to spoof a
signature by modifying the latter copy, a different vulnerability than
CVE-2008-5077.

Comment 24 Jan Lieskovsky 2009-03-05 12:29:57 UTC
Created attachment 334127 [details]
Newly created message for testing of revised patch.

Comment 30 Jan Lieskovsky 2009-03-06 14:03:31 UTC
Created attachment 334292 [details]
Original S/MIME message.

Original S/MIME e-mail message with valid signature.

Comment 31 Jan Lieskovsky 2009-03-06 14:04:26 UTC
Created attachment 334293 [details]
Modified S/MIME e-mail message with invalid signature.

Comment 32 Jan Lieskovsky 2009-03-06 14:05:17 UTC
Created attachment 334294 [details]
The CA certificate && private key to check the signatures against.

Comment 35 errata-xmlrpc 2009-03-16 14:37:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0354 https://rhn.redhat.com/errata/RHSA-2009-0354.html

Comment 36 errata-xmlrpc 2009-03-16 14:47:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009-0355 https://rhn.redhat.com/errata/RHSA-2009:0355.html

Comment 37 Fedora Update System 2009-03-18 18:58:13 UTC
evolution-data-server-2.24.5-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 38 Fedora Update System 2009-03-18 18:59:52 UTC
evolution-data-server-2.22.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.