Bug 1154908 (CVE-2014-3694) - CVE-2014-3694 pidgin: SSL/TLS plug-ins failed to check Basic Constraints
Summary: CVE-2014-3694 pidgin: SSL/TLS plug-ins failed to check Basic Constraints
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3694
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1155838 1340770 1403136 1446519
Blocks: 1154913 1415638
TreeView+ depends on / blocked
 
Reported: 2014-10-21 03:16 UTC by Murray McAllister
Modified: 2021-02-17 06:04 UTC (History)
11 users (show)

Fixed In Version: pidgin 2.10.10
Doc Type: Bug Fix
Doc Text:
It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:35:16 UTC
Embargoed:


Attachments (Terms of Use)
patch from upstream (17.37 KB, patch)
2014-10-21 03:17 UTC, Murray McAllister
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1854 0 normal SHIPPED_LIVE Moderate: pidgin security, bug fix, and enhancement update 2017-08-01 18:23:14 UTC

Description Murray McAllister 2014-10-21 03:16:13 UTC
It was reported that the SSL/TLS plug-ins failed to check that the Basic Constraints extension allowed intermediate certificates to act as Certificate Authorities (CAs). An attacker could use this flaw to create a fake certificate that Pidgin would trust, which could be used for man-in-the-middle attacks.

This is the same situation as described in http://www.thoughtcrime.org/ie-ssl-chain.txt

Acknowledgments:

Name: the Pidgin project
Upstream: Jacob Appelbaum, Moxie Marlinspike

Comment 1 Murray McAllister 2014-10-21 03:17:13 UTC
Created attachment 948786 [details]
patch from upstream

Comment 3 Murray McAllister 2014-10-23 01:21:43 UTC
Public now:

http://www.pidgin.im/news/security/?id=86

Comment 4 Murray McAllister 2014-10-23 01:26:43 UTC
Created pidgin tracking bugs for this issue:

Affects: fedora-all [bug 1155838]

Comment 5 Fedora Update System 2014-11-10 06:31:35 UTC
pidgin-2.10.10-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-11-10 06:47:35 UTC
pidgin-2.10.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Siddharth Sharma 2014-12-02 09:58:13 UTC
Analysis
========

Basic Constraints checking is missing for the certificates in the code for pidgin, so attacker who already has an valid CA-Signed Certificate of any domain can generate a valid CA-Signed certificate and request signature for any other domain. As there are no checks for Basic Constraints it fails to the check if there is an man-in-the-middle attack executed with the help of malicious certificate whenever there is SSL connection intiated with the server.

Comment 13 errata-xmlrpc 2017-08-01 20:20:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1854 https://access.redhat.com/errata/RHSA-2017:1854


Note You need to log in before you can comment on or make changes to this bug.