Red Hat Bugzilla – Bug 632114
CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
Last modified: 2012-05-22 09:33:16 EDT
Konqueror / kio_http does not check connection host name against names in SSL certificate correctly. Besides accepting certificates that have user-supplied host name listed as Common Name or one of the Subject Alternate Names, it also also treats certificate as matching requested side if the certificate was issued for an IP address user-specified host name resolved to. An attacker able to hijack or poison victim's DNS can use this flaw to perform MITM attack against victim's SSL connections.
The problem seems to be in KIO::TCPSlaveBase. TCPSlaveBase::connectToHost resolves host name to IP address(es) and uses IP to connect using QSslSocket. This is expected to result in HostNameMismatch certificate verification error, hence TCPSlaveBase::startTLSInternal implements its own custom host <-> certificate name checking. However, when server certificate was issued for the IP used to connect, no HostNameMismatch error is reported and the certificate is accepted as matching requested host.
Created attachment 452097 [details]
Possible fix for this issue. It has to be applied after wildcard handling fixes mentioned in bug #630063, comment #17. Review appreciated.
(In reply to comment #3)
> Possible fix for this issue. It has to be applied after wildcard handling
> fixes mentioned in bug #630063, comment #17. Review appreciated.
Now committed in upstream git:
Required previous commit after upstream SVN->git migration:
Patch is included in kdelibs 4.6.1.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0464 https://rhn.redhat.com/errata/RHSA-2011-0464.html