Bug 510197 - (CVE-2009-2409) CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20090225,public=20090729,imp...
: Security
Depends On: 230399 513780 530367 530368 532004 532005 534067 534068 547448 555167 555168 563125 563127 565564 565565 565580 565581 565584 565585 582839 805159
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-08 06:31 EDT by Mark J. Cox (Product Security)
Modified: 2012-03-20 11:42 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2009-07-08 06:31:13 EDT
In his upcoming Blackhat paper and presentation Dan Kaminsky
highlights some more issues he has found relating to SSL hash
collisions and related vulnerabilities.

The first issue is the discovery that a widely-trusted Certificate
Authority root certificate is self-signed using a MD2 hash.  If an
attacker can mint a fake intermediate certificate which has the same
MD2 hash then they could use this on a malicious site (or during a
man-in-the-middle attack) to present a fake SSL certificate that would
be accepted as if it was authentic.

It turns out that there are not many valid MD2 hash certificates
around any more, and the main one that exists is at the trusted root
level anyway (and there is actually no need for a crypto library to
verify the self-signature on a trusted root).  So most vendors have
chosen to address this issue by disabling MD2 completely for
certificate verification.

There is no immediate panic to address this issue as in order for it
to be exploited the attacker would need to create the MD2 collision
with the root certificate, something that is as of today a significant
amount of effort (even with a highly distributed effort it's a bit
outside what is feasible).

So for upstream OpenSSL we have disabled MD2 support completely.  This
was done in two stages; the first was a patch in June 2009
(http://marc.info/?l=openssl-cvs&m=124508133203041&w=2) that removed
the check of a trusted root self-signed certificate.  Then MD2 was
disabled in July, (http://cvs.openssl.org/chngview?cn=18381).  Although there have not yet been any
upstream releases containing these fixes, future OpenSSL 0.9.8 (after
0.9.8k), and OpenSSL 1.0.0 releases will contain this fix.

The GnuTLS library has for some time meant to have disabled MD2
support, although due to a broken patch it wasn't actually disabled
correctly until the start of 2009.  So this is addressed in GnuTLS
versions 2.6.4 and above, and 2.7.4 and above.
(http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00011.html)

The NSS library since version 3.12.3 (April 2009) has disabled MD2 by
default (although legacy applications can turn it back on using an
environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" if they need to).

Mozilla Firefox since version 3.5 has used this NSS version and
therefore MD2 is disabled
(https://bugzilla.mozilla.org/show_bug.cgi?id=471539#c58)
Comment 1 Mark J. Cox (Product Security) 2009-07-08 06:37:10 EDT
GnuTLS notes:

Since 2.6.4 and 2.7.4 MD2 hasn't been allowed by default in a chain.
It actually was implemented earlier, but the code was broken, so when
backporting it'll need several patches.  They also disabled MD5, but
if we backport this we do not want to disable MD5 since it will
definately break existing things

http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00011.html

* Version 2.7.4 (released 2009-01-07)
also * Version 2.6.4 (released 2009-02-06)

** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash.  Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.

2009-01-06  Daniel Kahn Gillmor <dkg@fifthhorseman.net>

        * lib/x509/verify.c: actually deprecate MD5 and MD2 signatures
        during X.509 verification by treating them as invalid unless the
        GNUTLS_VERIFY_ALLOW_SIGN_RSA_{MD5,MD2} flags are present.

* Version 2.7.3 (released 2008-12-10)
also * Version 2.6.1 (released 2008-11-10) additionally with 2.6.2

** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
Reported by Michael Kiefer <Michael-Kiefer@web.de> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507633> forwarded by
Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3309>.

** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash.  Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.
Comment 3 Mark J. Cox (Product Security) 2009-07-08 15:35:47 EDT
In Red Hat Enterprise Linux, Firefox (and related packages) use the system version of NSS.  Therefore as the NSS library is updated to remove MD2 this will cascade into Firefox and related applications.
Comment 5 Mark J. Cox (Product Security) 2009-07-20 05:01:32 EDT
NSS was rebased today by errata RHBA-2009:1161 for Red Hat Enterprise Linux 5 to address other issues.  This therefore disables MD2 in Firefox and related packages.
Comment 10 Mark J. Cox (Product Security) 2009-07-30 04:00:53 EDT
This issue was presented by Dan Kaminsky last night at Blackhat.  Removing embargo.
Comment 11 errata-xmlrpc 2009-07-30 18:09:56 EDT
This issue has been addressed in nss packages in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1184 https://rhn.redhat.com/errata/RHSA-2009-1184.html
Comment 12 errata-xmlrpc 2009-07-30 18:20:05 EDT
This issue has been addressed in nss packages in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1186 https://rhn.redhat.com/errata/RHSA-2009-1186.html
Comment 13 errata-xmlrpc 2009-07-31 10:31:34 EDT
This issue has been addressed in nss packages in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1190 https://rhn.redhat.com/errata/RHSA-2009-1190.html
Comment 14 errata-xmlrpc 2009-08-12 10:31:14 EDT
This issue has been addressed in nss packages in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1207 https://rhn.redhat.com/errata/RHSA-2009-1207.html
Comment 15 errata-xmlrpc 2009-09-09 19:50:50 EDT
This issue has been addressed in seamonkey-nss packages in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1432 https://rhn.redhat.com/errata/RHSA-2009-1432.html
Comment 19 errata-xmlrpc 2009-11-09 10:04:27 EST
This issue has been addressed in java-1.6.0-sun packages in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1560 https://rhn.redhat.com/errata/RHSA-2009-1560.html
Comment 21 errata-xmlrpc 2009-11-10 14:30:19 EST
This issue has been addressed in java-1.5.0-sun packages in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1571 https://rhn.redhat.com/errata/RHSA-2009-1571.html
Comment 22 Fedora Update System 2009-11-13 03:45:09 EST
java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-33.b16.fc12
Comment 23 Fedora Update System 2009-11-13 03:49:02 EST
java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-23.b16.fc10
Comment 24 Fedora Update System 2009-11-13 11:34:20 EST
java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-30.b16.fc11
Comment 25 Fedora Update System 2009-11-13 22:29:13 EST
java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2009-11-13 22:31:06 EST
java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2009-11-13 22:32:21 EST
java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 errata-xmlrpc 2009-11-16 10:44:56 EST
This issue has been addressed in java-1.6.0-openjdk packages in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1584 https://rhn.redhat.com/errata/RHSA-2009-1584.html
Comment 29 errata-xmlrpc 2009-12-11 08:43:25 EST
This issue has been addressed in java-1.5.0-sun packages in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html
Comment 32 errata-xmlrpc 2010-01-19 19:23:48 EST
This issue has been addressed in openssl packages in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0054 https://rhn.redhat.com/errata/RHSA-2010-0054.html
Comment 37 errata-xmlrpc 2010-03-25 05:16:09 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0163 https://rhn.redhat.com/errata/RHSA-2010-0163.html
Comment 38 errata-xmlrpc 2010-03-25 06:19:47 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0166 https://rhn.redhat.com/errata/RHSA-2010-0166.html

Note You need to log in before you can comment on or make changes to this bug.