Bug 1127276 (CVE-2014-5075) - CVE-2014-5075 smack: MitM vulnerability
Summary: CVE-2014-5075 smack: MitM vulnerability
Alias: CVE-2014-5075
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1127277
Blocks: 1127281 1232965
TreeView+ depends on / blocked
Reported: 2014-08-06 14:07 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:20 UTC (History)
7 users (show)

Fixed In Version: smack-core 4.0.2, smack-tcp 4.0.2, smack 4.0.2
Doc Type: Bug Fix
Doc Text:
It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control.
Clone Of:
Last Closed: 2016-01-21 21:04:49 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1176 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.2.0 update 2015-06-23 20:52:52 UTC

Description Vasyl Kaigorodov 2014-08-06 14:07:38 UTC
It was reported [1] that Smack (XMPP client library) is vulnerable to MitM attacks with a crafted SSL certificates.
Quote from [1]:

Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.

In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
(CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363)
and has been removed in Smack 4.0.0.

Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname

[1]: http://seclists.org/bugtraq/2014/Aug/29

Comment 1 Vasyl Kaigorodov 2014-08-06 14:08:02 UTC
Created smack tracking bugs for this issue:

Affects: fedora-all [bug 1127277]

Comment 3 Fedora Update System 2014-09-02 06:45:50 UTC
smack-3.2.2-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 errata-xmlrpc 2015-06-23 16:53:09 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.0

Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html

Note You need to log in before you can comment on or make changes to this bug.