Bug 484925 - (CVE-2009-0547) CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be valid even for modified messages (MITM)
CVE-2009-0547 evolution-data-server: S/MIME signatures are considered to be v...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
public=20081211,reported=20081211,sou...
: Security
Depends On: 488280 488281 488439 488440 488441 488442
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-10 13:20 EST by Jan Lieskovsky
Modified: 2009-03-20 03:51 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-20 03:51:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Newly created message for testing of revised patch. (2.18 KB, application/x-pkcs7-signature)
2009-03-05 07:29 EST, Jan Lieskovsky
no flags Details
Original S/MIME message. (2.17 KB, application/x-pkcs7-signature)
2009-03-06 09:03 EST, Jan Lieskovsky
no flags Details
Modified S/MIME e-mail message with invalid signature. (2.18 KB, application/x-pkcs7-signature)
2009-03-06 09:04 EST, Jan Lieskovsky
no flags Details
The CA certificate && private key to check the signatures against. (1.84 KB, application/x-pkcs7-signature)
2009-03-06 09:05 EST, Jan Lieskovsky
no flags Details

  None (edit)
Description Jan Lieskovsky 2009-02-10 13:20:01 EST
A man-in-the-middle-attack possibility was found in the way evolution
handles the Secure / Multipurpose Internet Mail Extensions (S/MIME) mail messages. If the S/MIME email was sign, the email message subsequently
modified, evolution would consider the S/MIME message signature to be valid
even for such a modified message. An attacker could use this flaw to
modify the emails (message integrity violation) between communicating part.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479
Comment 1 Jan Lieskovsky 2009-02-10 13:22:54 EST
This issue does NOT affect the version of the evolution package,
as shipped with Red Hat Enteprise Linux 3.

This issue affects the versions of the evolution package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the evolution package, as shipped
with Fedora releases of 9, 10 and devel.
Comment 2 Jan Lieskovsky 2009-02-10 13:26:41 EST
PoC:

Signer certificate:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=key.pem;att=1;bug=508479

Original message (with valid S/MIME signature):
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=testmail.out;att=2;bug=508479

Modified message (S/MIME signature is also considered to be valid):
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=testmail.out2;att=3;bug=508479
Comment 3 Jan Lieskovsky 2009-02-10 13:27:37 EST
Upstream bug report:
http://bugzilla.gnome.org/show_bug.cgi?id=564465
Comment 5 Jan Lieskovsky 2009-02-10 13:32:29 EST
Steps to reproduce:
1. Import the CA in the certificates store
2. Import the mail in an evolution folder
Comment 7 Matthew Barnes 2009-02-10 18:31:31 EST
Investigated this today and posted my findings here:
http://bugzilla.gnome.org/show_bug.cgi?id=564465#c3

But I really need to talk to someone familiar with the NSS API.
Comment 8 Nalin Dahyabhai 2009-02-11 00:01:04 EST
The signed-data blob actually contains a copy of the plaintext embedded inside of it, and it's over that that the signatures were generated.  Changing a second copy of the plaintext doesn't invalidate that signature.

If I'm reading the code right, it takes this into account and attempts to recompute the digests for the signed-data item using the plaintext which it will be displaying to the user.  It overwrites the values in the signed-data item by calling NSS_CMSSignedData_SetDigests().

It looks like NSS_CMSSignedData_SetDigests() doesn't replace any already-computed or included digest values, and that's the root of the problem.

Assuming that's the correct behavior in NSS, looping through the digest types, calling NSS_CMSSignedData_SetDigestValue() for each, seems to provide the expected result.
Comment 9 Nalin Dahyabhai 2009-02-11 00:31:33 EST
Matt's corrected me -- the existing code only attempts to set the digest in the signed-data item if it finds none.
Comment 18 Vincent Danen 2009-02-12 18:12:46 EST
This has been assigned CVE-2009-0547:

Name: CVE-2009-0547
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0547
Assigned: 20090212
Reference: MLIST:[oss-security] 20090210 CVE Request -- evolution
Reference: URL: http://openwall.com/lists/oss-security/2009/02/10/7
Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479
Reference: CONFIRM: http://bugzilla.gnome.org/show_bug.cgi?id=564465
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=484925
Reference: BID:33720
Reference: URL: http://www.securityfocus.com/bid/33720
Reference: SECUNIA:33848
Reference: URL: http://secunia.com/advisories/33848

Evolution 2.22.3.1 checks S/MIME signatures against a copy of the
e-mail text within a signed-data blob, not the copy of the e-mail text
displayed to the user, which allows remote attackers to spoof a
signature by modifying the latter copy, a different vulnerability than
CVE-2008-5077.
Comment 24 Jan Lieskovsky 2009-03-05 07:29:57 EST
Created attachment 334127 [details]
Newly created message for testing of revised patch.
Comment 30 Jan Lieskovsky 2009-03-06 09:03:31 EST
Created attachment 334292 [details]
Original S/MIME message.

Original S/MIME e-mail message with valid signature.
Comment 31 Jan Lieskovsky 2009-03-06 09:04:26 EST
Created attachment 334293 [details]
Modified S/MIME e-mail message with invalid signature.
Comment 32 Jan Lieskovsky 2009-03-06 09:05:17 EST
Created attachment 334294 [details]
The CA certificate && private key to check the signatures against.
Comment 35 errata-xmlrpc 2009-03-16 10:37:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0354 https://rhn.redhat.com/errata/RHSA-2009-0354.html
Comment 36 errata-xmlrpc 2009-03-16 10:47:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009-0355 https://rhn.redhat.com/errata/RHSA-2009:0355.html
Comment 37 Fedora Update System 2009-03-18 14:58:13 EDT
evolution-data-server-2.24.5-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 38 Fedora Update System 2009-03-18 14:59:52 EDT
evolution-data-server-2.22.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.