Bug 571817 (CVE-2010-1192, CVE-2010-1194) - CVE-2010-1192 CVE-2010-1194 libESMTP: Multiple certificate validation flaws
Summary: CVE-2010-1192 CVE-2010-1194 libESMTP: Multiple certificate validation flaws
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2010-1192, CVE-2010-1194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://ioactive.com/pdfs/PKILayerCake...
Whiteboard:
Depends On: 571839 571844 1114552
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-09 16:09 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-30 10:53:42 UTC
Embargoed:


Attachments (Terms of Use)
Local copy of libesmtp-match-component-DBTS#311191 patch (991 bytes, text/plain)
2010-03-09 16:31 UTC, Jan Lieskovsky
no flags Details
Local copy of proposed libESMTP SSL patch by Ludwig Nussel of SUSE (4.44 KB, patch)
2010-03-10 16:34 UTC, Jan Lieskovsky
no flags Details | Diff
Proposed fix from Pawel Salek from yesterday (1.31 KB, patch)
2010-03-10 16:39 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2010-03-09 16:09:44 UTC
Issue 1, 
--------

Kees Cook from Ubuntu Security Team pointed out:
    [1] http://www.openwall.com/lists/oss-security/2010/03/03/6 

that libesmtp is prone to similar attack as CVE-2009-2408
for Firefox / NSS was:
    [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
    [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2408 

Dan Kaminsky in his research paper:
    [4] http://ioactive.com/pdfs/PKILayerCake.pdf 

details inconsistencies in the interpretation of subject
x509 names in certificates. Specifically "issue 2, attack 2c"
regarding NULL terminators in a Common Name field.  An attacker
could create a malicious certificate containing a NULL,
which, if they were able to get it signed, could confuse
a client into accepting it by mistake.

Issue 2,
--------
Martin Lambers in relevant Debian bug report:
    [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

pointed out that (quoting from [5]):

"match_component() will accept two strings as equal if they
start equal but don't have equal length. For example, match_domain("mail.example.com", "mailhub.example.com") and
match_domain("mail.somewhere.com", "mail.somewhere-else.com") 
return 1, not 0."

CVE Request:
------------
    [6] http://www.openwall.com/lists/oss-security/2010/03/03/6

Comment 1 Jan Lieskovsky 2010-03-09 16:31:08 UTC
Created attachment 398839 [details]
Local copy of libesmtp-match-component-DBTS#311191 patch

Local copy of libESMTP match_component() patch, as applied
in Debian (Debian BTS#311191). Extracted from:
  http://us.archive.ubuntu.com/ubuntu/pool/universe/libe/libesmtp/libesmtp_1.0.4-2.diff.gz

Comment 5 Jan Lieskovsky 2010-03-10 16:31:15 UTC
Post with proposed patch from Ludwig Nussel of SUSE:
  [7] http://www.openwall.com/lists/oss-security/2010/03/10/3

Comment 6 Jan Lieskovsky 2010-03-10 16:34:15 UTC
Created attachment 399130 [details]
Local copy of proposed libESMTP SSL patch by Ludwig Nussel of SUSE

Comment 7 Jan Lieskovsky 2010-03-10 16:39:39 UTC
Created attachment 399131 [details]
Proposed fix from Pawel Salek from yesterday

Comment 8 Tomas Hoger 2010-03-12 08:31:45 UTC
There's still on-going discussion about the fix for this issue:
  http://thread.gmane.org/gmane.comp.security.oss.general/2637

Comment 9 Jan Lieskovsky 2010-03-31 18:11:15 UTC
Common Vulnerabilities and Exposures assigned following identifiers
to these issues:

A, CVE-2010-1192

libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field of
an X.509 certificate, which allows man-in-the-middle attackers to
spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408.

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1192
  [2] http://www.openwall.com/lists/oss-security/2010/03/03/6
  [3] http://www.openwall.com/lists/oss-security/2010/03/09/3

B, CVE-2010-1194

The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and
possibly other versions including 1.0.4, treats two strings as equal
if one is a substring of the other, which allows remote attackers to
spoof trusted certificates via a crafted subjectAltName.

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1194
  [2] http://www.openwall.com/lists/oss-security/2010/03/03/6
  [3] http://www.openwall.com/lists/oss-security/2010/03/09/3
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191

Comment 10 Richard Z. 2013-12-27 21:00:28 UTC
Should this bug be closed now that there are much newer versions of libESMTP?

Changelog (http://www.stafford.uklinux.net/libesmtp/ChangeLog.txt) mentions related changes though I did not look at the implementation details.

Comment 11 Tomas Hoger 2014-06-30 10:51:57 UTC
(In reply to Richard Zidlicky from comment #10)
> Should this bug be closed now that there are much newer versions of libESMTP?

It does not seem this ever got fixed in EPEL-5.

Comment 12 Tomas Hoger 2014-06-30 10:52:16 UTC
Created libesmtp tracking bugs for this issue:

Affects: epel-5 [bug 1114552]

Comment 13 Tomas Hoger 2014-06-30 10:53:42 UTC
The libesmtp packages in the Red Hat Enterprise Linux 6 were fixed before the initial product release.


Note You need to log in before you can comment on or make changes to this bug.