643414 – (CVE-2010-3902) CVE-2010-3902 OpenConnect: webvpn cookie content disclosure via debugging output

Bug 643414 (CVE-2010-3902) - CVE-2010-3902 OpenConnect: webvpn cookie content disclosure via debugging output

Summary: CVE-2010-3902 OpenConnect: webvpn cookie content disclosure via debugging output

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2010-3902
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-10-15 14:45 UTC by Jan Lieskovsky
Modified:	2021-03-26 15:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-12-08 16:16:11 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2010-10-15 14:45:01 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3902 to
the following vulnerability:

OpenConnect before 2.26 places the webvpn cookie value in the
debugging output, which might allow remote attackers to obtain
sensitive information by reading this output, as demonstrated by
output posted to the public openconnect-devel mailing list.

References:
[1] http://www.infradead.org/openconnect.html

Upstream changeset:
[2] http://git.infradead.org/users/dwmw2/openconnect.git/commit/673c83fbb439090f16779dfdcd6a4e6026f16ac6

Vulnerable Fedora openconnect versions:
=======================================
This issue affects the version of the openconnect package, as shipped
with Fedora release of 12.

Please fix (schedule F-12 openconnect package update).

This issue does NOT affect the version of the openconnect package,
as shipped with Fedora release 13 (openconnect package was already
updated to upstream v2.26, but is currently present in the -testing
repository. After required testing it will be published into -stable
repository).

Comment 1 David Woodhouse 2010-10-15 21:48:17 UTC

Pfft. Is someone retrospectively filing random CVEs for every minor improvement I make in openconnect? CVE-2010-3901 made some sense as a CVE, but this is just silly.

If you use the 'live http headers' plugin in Firefox, or use 'curl -v' to connect to the same VPN servers, you'll *also* see the same damn HTTP cookie.

I made openconnect obscure it because users are stupid -- but I really don't think it's worthy of a CVE.

Comment 2 Vincent Danen 2010-10-18 15:50:53 UTC

Thank you, David.  I have sent a mail to MITRE (and cc'd you) indicating that you are disputing this CVE assignment.

I am inclined to agree with you -- if it is trivial to get the same information otherwise, than this obfuscation isn't really a security fix, but more a mechanism to keep users from unwittingly shooting themselves in the foot.

Regardless, this is a bug we would like to see fixed in Fedora, so I am re-opening the bug.  The security consequences are obviously disputed, but that has no bearing on the bug (other than calling it security and having a CVE name).

Comment 3 David Woodhouse 2010-10-18 16:04:41 UTC

Bug 629979 is a much better reason for me to push OpenConnect 2.26 as an update, FWIW.

Comment 4 David Woodhouse 2010-11-22 18:56:53 UTC

https://admin.fedoraproject.org/updates/openconnect-2.26-1.fc12
https://admin.fedoraproject.org/updates/openconnect-2.26-2.fc13
https://admin.fedoraproject.org/updates/openconnect-2.26-4.fc14

Note You need to log in before you can comment on or make changes to this bug.