Bug 1678313 (CVE-2019-3890) - CVE-2019-3890 evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified.
Summary: CVE-2019-3890 evolution-ews: all certificate errors ignored if configured to ...
Keywords:
Status: NEW
Alias: CVE-2019-3890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1696760 1696761 1696762 1696763 1678314
Blocks: 1678315
TreeView+ depends on / blocked
 
Reported: 2019-02-18 13:35 UTC by msiddiqu
Modified: 2019-09-29 15:08 UTC (History)
1 user (show)

Fixed In Version: evolution-ewx 3.31.3
Doc Type: If docs needed, set a value
Doc Text:
It was discovered evolution-ews does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.
Clone Of:
Environment:
Last Closed: 2019-02-18 14:29:01 UTC


Attachments (Terms of Use)

Description msiddiqu 2019-02-18 13:35:20 UTC
Evolution Exchange Web Services can silently ignore *all* certificate errors if configured to ignore an initial error in gnome-online-accounts creation. This renders transport security worse than zero as it does not even indicate (logs or UI) that a questionable certificate was presented, leaving the connection open to being viewed and modified.

Upstream issue:

https://gitlab.gnome.org/GNOME/evolution-ews/issues/36

Comment 1 msiddiqu 2019-02-18 13:35:33 UTC
Created evolution-ews tracking bugs for this issue:

Affects: fedora-all [bug 1678314]

Comment 2 Milan Crha 2019-02-18 14:29:01 UTC
Thanks for a bug report. The upstream bug had been marked as a duplicate of an older bug there. I'd prefer not to duplicate the work here, also because the upstream changes are not tested yet and because the change requires changes on the evolution-data-server side as well. I'd commit it to the stable version already otherwise.

Comment 10 Riccardo Schirone 2019-04-05 14:48:28 UTC
Upstream issue:
https://gitlab.gnome.org/GNOME/evolution-ews/issues/27

Comment 11 Riccardo Schirone 2019-04-05 15:02:39 UTC
According to https://gitlab.gnome.org/GNOME/evolution-ews/issues/27, evolution-ews does not validate SSL certificate at all.


Note You need to log in before you can comment on or make changes to this bug.