Bug 997097 (CVE-2013-4248) - CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Summary: CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Status: CLOSED ERRATA
Alias: CVE-2013-4248
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130813,repor...
Keywords: Security
Depends On: 998340 998341 998348 998350 998585
Blocks: 952520 974906 996775
TreeView+ depends on / blocked
 
Reported: 2013-08-14 16:17 UTC by Vincent Danen
Modified: 2018-12-03 19:37 UTC (History)
16 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-12-05 09:06:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1307 normal SHIPPED_LIVE Moderate: php53 security, bug fix and enhancement update 2013-10-01 00:31:22 UTC
Red Hat Knowledge Base (Article) 11258 None None None Never
Red Hat Product Errata RHSA-2013:1615 normal SHIPPED_LIVE Moderate: php security, bug fix, and enhancement update 2013-11-20 21:38:52 UTC

Description Vincent Danen 2013-08-14 16:17:02 UTC
Similar to Ruby (CVE-2013-4073) and Python (CVE-2013-4238), PHP also suffers from how it checked the hostname's identity when handling certificates that contain hostnames with NULL bytes.  An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

This has been corrected in upstream git:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897

While PHP referenced the Ruby CVE, one has not yet been assigned to PHP (requested):

http://www.openwall.com/lists/oss-security/2013/08/14/4

Comment 1 Vincent Danen 2013-08-15 06:24:42 UTC
This was assigned CVE-2013-4248:

http://www.openwall.com/lists/oss-security/2013/08/15/3

Comment 2 Vincent Danen 2013-08-16 15:39:42 UTC
This is fixed in PHP 5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

But they used the Ruby CVE name incorrectly.

Comment 3 Vincent Danen 2013-08-16 20:28:09 UTC
Also fixed in 5.5.2:

http://www.php.net/ChangeLog-5.php#5.5.2

Comment 5 Huzaifa S. Sidhpurwala 2013-08-19 05:16:47 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 998341]

Comment 14 Fedora Update System 2013-08-24 00:05:31 UTC
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Angelo Alvarez 2013-09-03 20:45:57 UTC
Any ideas when the fix for this CVE will make it into RHEL 5.9?

Comment 16 Fedora Update System 2013-09-08 23:25:47 UTC
php-5.4.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Tomas Hoger 2013-09-25 14:03:53 UTC
Related issue is CVE-2009-3291 / bug 524228, which correct similar problem in CommonName handling, but failed to correct subjectAltName handling corrected as part of this bug / CVE.

Comment 20 errata-xmlrpc 2013-09-30 22:15:04 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html

Comment 27 errata-xmlrpc 2013-11-21 11:19:09 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html

Comment 33 Huzaifa S. Sidhpurwala 2013-12-05 09:05:24 UTC
Statement:

This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 or the version of php54 as shipped with Red Hat Software Collections 1.


Note You need to log in before you can comment on or make changes to this bug.