Bug 889373 (CVE-2012-5662) - CVE-2012-5662 x3270: does not properly validate SSL certificates
Summary: CVE-2012-5662 x3270: does not properly validate SSL certificates
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5662
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 924183 980316
Blocks: 889374
TreeView+ depends on / blocked
 
Reported: 2012-12-21 00:18 UTC by Vincent Danen
Modified: 2021-10-19 21:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 21:58:13 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-12-21 00:18:10 UTC
Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates.  If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate.

For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host:

$ gnutls-cli bad.ssl.host; echo $?
...
- The hostname in the certificate does NOT match 'bad.ssl.host'
1

vs.

$ pr3287 L:bad.ssl.host:443; echo $?
0

Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case).

The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it.  The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.

Comment 1 Vincent Danen 2012-12-21 17:18:10 UTC
Version 3.3.12 is the first version that actually started doing SSL certificate verification.


Statement:

Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.

Comment 2 Vincent Danen 2012-12-21 17:23:20 UTC
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix.  Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.

Comment 3 Stefan Cornelius 2013-03-21 10:36:40 UTC
Public now and updated upstream packages are available:
http://sourceforge.net/projects/x3270/files/x3270/3.3.12ga12/

Comment 4 Stefan Cornelius 2013-03-21 10:46:52 UTC
Created x3270 tracking bugs for this issue

Affects: fedora-all [bug 924183]


Note You need to log in before you can comment on or make changes to this bug.