Bug 509819 - (CVE-2009-3024) CVE-2009-3024 perl-IO-Socket-SSL: incorrect checking of certificate hostnames
CVE-2009-3024 perl-IO-Socket-SSL: incorrect checking of certificate hostnames
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=gentoo,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-06 08:59 EDT by Tomas Hoger
Modified: 2009-09-01 11:59 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-27 04:50:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-07-06 08:59:06 EDT
New IO::Socket::SSL version 1.26 was released fixing a bug in a hostname verification code.

  v1.26 2009.07.03
  - SECURITY BUGFIX! 
    fix Bug in verify_hostname_of_cert where it matched only the prefix for 
    the hostname when no wildcard was given, e.g. www.example.org matched
    against a certificate with name www.exam in it

An attacker could use this flaw to spoof identity of the SSL protected site, if he could obtain a valid certificate from the CA trusted by client with the CN being a prefix of the hostname client tried to connect to (e.g. domain.co if client tries to connect to domain.com).

Upstream fix (diff between 1.25 and 1.26):
http://search.cpan.org/diff?from=IO-Socket-SSL-1.25&to=IO-Socket-SSL-1.26&w=1
Comment 1 Paul Howarth 2009-07-06 09:25:16 EDT
Updates are pending for F-9, F-10, and F-11, Rawhide is already updated to 1.26.

EL-5 has IO::Socket::SSL version 1.01; EPEL-4 also has that version. I don't want to bump the version in EPEL-4 past the one in EL-5 so I'm waiting to see what happens for EL-5 before doing anything for EPEL-4.
Comment 2 Tomas Hoger 2009-07-06 09:38:07 EDT
Yup, I've seen and updated Fedora update requests.

As for 1.01 in EL5 and EPEL4, the situation there is bit more difficult, as that version does not seem to any support for hostname verification.  According to the changelog, it was only added in 1.14:

http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.14/Changes

v1.14
	- added support for verification of hostname from certificate
          including subjectAltNames, support for IDN etc based on patch and
          input from christopher[AT]odenbachs[DOT]de and 
          achim[AT]grolmsnet[DOT]de.
Comment 4 Fedora Update System 2009-07-19 06:06:04 EDT
perl-IO-Socket-SSL-1.26-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-07-19 06:38:28 EDT
perl-IO-Socket-SSL-1.26-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Vincent Danen 2009-07-20 13:59:23 EDT
For RHEL5, do we want to add hostname verification to the older version?  There are two schools of thought here, which is why it needs to be brought up (so we can decide what to do with it).

If someone is relying on the *lack* of hostname verification, any app using this perl module could possibly break in a customer environment.  That would be a bad thing for an update to do.  Conversely, having hostname support increases security.

Do we increase the security at the risk of breaking something in a customer's environment?  A lot of people play fast-and-loose with internal networks and SSL just for cost savings, so if we make this change there is a very real chance this could break something.

Personally, I think that because RHEL5 and earlier didn't have support for it, *this* issue isn't a security issue to affect them.  Do we typically backport/provide security enhancements?  From what I can see we don't, so I think if this is fixed in rawhide so RHEL6 gets it, then I think we've done what we should.
Comment 7 Vincent Danen 2009-07-20 14:01:07 EDT
Secunia has an advisory for this issue, still no CVE name: http://secunia.com/advisories/35703/
Comment 8 Tomas Hoger 2009-07-24 10:35:54 EDT
(In reply to comment #6)
> For RHEL5, do we want to add hostname verification to the older version?

I think if that is requested by the users, it can be done, but I don't think this should be done under / because of this bug.

> If someone is relying on the *lack* of hostname verification, any app using
> this perl module could possibly break in a customer environment.  That would
> be a bad thing for an update to do.  Conversely, having hostname support
> increases security.

As far as I can see, risks should be rather low.  As name verification only happens when it's requested explicitly by the application using the module (either via verify_hostname method or SSL_verifycn_* options to new()).  Old code should work with new module versions without regressions related to this, but just a module version update will not automagically add hostname verification to apps that don't do it today.

> Personally, I think that because RHEL5 and earlier didn't have support for it,
> *this* issue isn't a security issue to affect them.

Agree.  If someone needs a hostname verification support in RHEL5 packages, it should be requested via RFE bug.

Additionally, I had a look at applications using IO::Socket::SSL in RHEL5.  There are only 2 components in the distribution:

- spamassassin - Used for optional SSL encryption for spamd <-> spamc communication.  Only used on server side (spamd), as client (spamc) is written in C and is using OpenSSL directly.  Hence this feature is irrelevant to spamassassin.

- perl-LDAP - This module does not have support for hostname verification, not even in the latest git version to date.  Hence without further modifications of perl-LDAP itself, it won't benefit from hostname verification support in IO::Socket::SSL.
Comment 9 Tomas Hoger 2009-07-27 04:50:39 EDT
As noted above, version of perl-IO-Socket-SSL does not implement name verification feature.  If the backport of the feature is needed, separate RFE bug should be filed.  Closing this one, as it was addressed on all affected versions.

Note You need to log in before you can comment on or make changes to this bug.