Red Hat Bugzilla – Bug 531011
CVE-2009-3766 mutt: missing host name vs. SSL certificate name checks
Last modified: 2015-03-03 02:48:31 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3766 to the following vulnerability: mutt_ssl.c in mutt 1.5.16, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Upstream bug: http://dev.mutt.org/trac/ticket/3087 References: http://marc.info/?l=oss-security&m=125198917018936&w=2
CVE description is bit imprecise, as this problem affects mutt versions before 1.5.19, most likely all with POP/IMAP + SSL support using OpenSSL crypto library. For this flaw to be exploited, following conditions must be met: - user needs to have a file with trusted certificates, path to it has to be set in .muttrc via certificate_file option; the file should contain at least one CA certificate (i.e. not only server certificates) - attacker needs to have a valid SSL certificate issues by CA listed in victim's certificate_file - attacker must be able to re-direct victims network traffic to his malicious server If all the conditions are met and victim is redirected to an attacker's server, mutt will not warn user about Common Name listed in server's SSL certificate not matching requested host name, allowing user to provide authentication credentials to attacker. Note: there's no certificate_file configured by default. In that case, mutt displays info from server's certificate subject, allowing user to decide whether to proceed with the connection. That info screen will display Common Name not matching user's request.
This problem affects mutt versions in Red Hat Enterprise Linux 3, 4 and 5. Future updates may introduce SSL hostname checks. Current Fedora versions are not affected.
Statement: (none)