Bug 1994998 (CVE-2021-38165) - CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data
Summary: CVE-2021-38165 lynx: Disclosure of HTTP authentication credentials via SNI data
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-38165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1994999 1996024 1996025
Blocks: 1995001
TreeView+ depends on / blocked
 
Reported: 2021-08-18 09:27 UTC by Marian Rehak
Modified: 2022-05-17 09:52 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-05-11 20:45:15 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch (1.05 KB, patch)
2021-08-19 14:50 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:2129 0 None None None 2022-05-10 15:32:02 UTC

Description Marian Rehak 2021-08-18 09:27:57 UTC 
Mishandling the userinfo subcomponent of a URI allows remote attackers to discover cleartext credentials because they may appear in SNI data.

References:

https://lynx.invisible-island.net/current/CHANGES.html#v2.9.0dev.9
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
Comment 1 Marian Rehak 2021-08-18 09:28:55 UTC 
Created lynx tracking bugs for this issue:

Affects: fedora-all [bug 1994999]
Comment 2 Tomas Hoger 2021-08-19 14:50:02 UTC 
Created attachment 1815719 [details]
Upstream patch

Extracted from lynx 2.9.0dev.9.
Comment 3 Tomas Hoger 2021-08-20 10:46:44 UTC 
This issue was caused by incorrect extraction of server host names from URLs for use during TLS/SSL connection handshakes.  If URL contained userinfo part, i.e. authentication credentials, embedded in URLs as http://user:password@server.name, the extracted hostname included not only "server.name", but also the credentials part "user:password".  This value was used during verification of server identity and would often cause verification to fail due to connection hostname not matching name stored in server certificate.  Verification could still succeed for wild card certificates.  The value was also included as part of the Server Name Indication (SNI) TLS extension data and sent unencrypted as part of the Client Hello packet during the TLS connection handshake.  This is how authentication credentials could have been exposed to an attacker able to eavesdrop on the network connection between the lynx browser and the server.

This issue did not affect lynx version in Red Hat Enterprise Linux 6, as SNI support was first added to lynx in version 2.8.7pre2:

https://lynx.invisible-island.net/current/CHANGES.html#v2.8.7pre.2
Comment 7 Tomas Hoger 2021-08-23 20:41:30 UTC 
Note that this issue can not be exploited by having a victim visit a malicious URL or page prepared by an attacker, as such URL or any link on such page would only contain credentials already known to an attacker.  The issue is only relevant in cases when a user uses lynx to access some trusted URL with credentials included as part of the URL, e.g. by following such link form some "bookmark" page.  Hence an information leak can only happen when victim performs a specific action that is out of attacker's control.
Comment 8 errata-xmlrpc 2022-05-10 15:32:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2129 https://access.redhat.com/errata/RHSA-2022:2129
Comment 9 Product Security DevOps Team 2022-05-11 20:45:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-38165
Note You need to log in before you can comment on or make changes to this bug.