Bug 632114 - (CVE-2011-1094) CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for h...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,cvss2=4.3/AV:N/AC:M/A...
: Security
Depends On: 695662 695663
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-09 04:10 EDT by Tomas Hoger
Modified: 2012-05-22 09:33 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-22 09:33:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Possible fix (2.22 KB, patch)
2010-10-07 08:34 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2010-09-09 04:10:57 EDT
Konqueror / kio_http does not check connection host name against names in SSL certificate correctly.  Besides accepting certificates that have user-supplied host name listed as Common Name or one of the Subject Alternate Names, it also also treats certificate as matching requested side if the certificate was issued for an IP address user-specified host name resolved to.  An attacker able to hijack or poison victim's DNS can use this flaw to perform MITM attack against victim's SSL connections.
Comment 1 Tomas Hoger 2010-09-09 04:16:08 EDT
The problem seems to be in KIO::TCPSlaveBase.  TCPSlaveBase::connectToHost resolves host name to IP address(es) and uses IP to connect using QSslSocket.  This is expected to result in HostNameMismatch certificate verification error, hence TCPSlaveBase::startTLSInternal implements its own custom host <-> certificate name checking.  However, when server certificate was issued for the IP used to connect, no HostNameMismatch error is reported and the certificate is accepted as matching requested host.
Comment 3 Tomas Hoger 2010-10-07 08:34:27 EDT
Created attachment 452097 [details]
Possible fix

Possible fix for this issue.  It has to be applied after wildcard handling fixes mentioned in bug #630063, comment #17.  Review appreciated.
Comment 6 Tomas Hoger 2011-01-31 09:59:24 EST
(In reply to comment #3)
> Possible fix for this issue.  It has to be applied after wildcard handling
> fixes mentioned in bug #630063, comment #17.  Review appreciated.

Now committed in upstream git:
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/23621737060e4df0fba238c25fb5b65f81181971

Required previous commit after upstream SVN->git migration:
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/078eba4692a0fcf29de077db3972bf56a1702ae2
Comment 7 Tomas Hoger 2011-03-09 04:58:32 EST
Patch is included in kdelibs 4.6.1.
Comment 10 errata-xmlrpc 2011-04-21 12:57:28 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0464 https://rhn.redhat.com/errata/RHSA-2011-0464.html

Note You need to log in before you can comment on or make changes to this bug.