Bug 928530 - (CVE-2013-1909) CVE-2013-1909 python-qpid: client does not validate qpid server TLS/SSL certificate
CVE-2013-1909 python-qpid: client does not validate qpid server TLS/SSL certi...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130613,repor...
: Security
Depends On: 885173 948985 948986 960487 974610
Blocks: 928533
  Show dependency treegraph
 
Reported: 2013-03-27 16:42 EDT by Vincent Danen
Modified: 2015-06-21 20:08 EDT (History)
19 users (show)

See Also:
Fixed In Version: python-qpid 0.22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-03-27 16:42:18 EDT
Multiple security flaws were found in the QPID Python's SSL certificate validation code. Details:

While the QPID client connection API allows for a list of Certificate Authority certificates to be provided when connecting, if the remote certificate does not validate against the CA certs, the client connection will continue.  This is due in part to the python SSL library not validating certificates supplied by the remote system unless the CERT_REQUIRED flag is set when making the connection [1] (the QPID python client code does not set this flag).  However, this is only valid on systems using a version of python >= 2.6; on earlier versions of Python the CAs parameter is simply ignored [2] (see ssl() section).

Also, the QPID python client does not check the CN or SubjectAltName from the peer's certificate against the FQDN of the destination.  This could allow an attacker to masquerade as the desired peer simply by providing any certificate that is signed by a trusted CA.

In the case of python 2.6+ (which is everything with the exception of MRG on Red Hat Enterprise Linux 5), the QPID python client code should set the CERT_REQUIRED flag if the application provides a CA list.  If the certificate is valid, the CN/SAN should be checked against the destination FQDN.  If either fails, the connection attempt should likewise fail.  In the case of MRG on Red Hat Enterprise Linux 5 (due to the use of Python 2.4.3), since there is no way to validate the peer certificate, the application should fail with an appropriate error message if a CA list is provided (and perhaps document that it is not possible to do certificate verification on this platform).


[1] http://docs.python.org/2/library/ssl.html
[2] http://docs.python.org/release/2.5.4/lib/module-socket.html
Comment 1 Vincent Danen 2013-03-28 17:34:53 EDT
Acknowledgements:

This issue was discovered by Petr Matousek of the Red Hat MRG Messaging
team.
Comment 2 Vincent Danen 2013-03-28 18:43:51 EDT
Upstream fix:

http://svn.apache.org/viewvc?view=revision&revision=1460013
Comment 3 Vincent Danen 2013-03-28 18:45:11 EDT
This python bug #928390 needs to be fixed in RHEL6 before we can fix this properly.
Comment 4 Ken Giusti 2013-04-01 10:16:48 EDT
A CVE has been assigned for this issue: CVE-2013-1909
Comment 7 Vincent Danen 2013-06-14 11:14:54 EDT
Created python-qpid tracking bugs for this issue

Affects: fedora-all [bug 974610]
Comment 8 errata-xmlrpc 2013-07-11 09:24:34 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2013:1024 https://rhn.redhat.com/errata/RHSA-2013-1024.html
Comment 10 Vincent Danen 2013-12-23 14:50:56 EST
python-qpid 0.24 is in all versions of Fedora, so this has been fixed there.

Note You need to log in before you can comment on or make changes to this bug.