Hide Forgot
Mishandling the userinfo subcomponent of a URI allows remote attackers to discover cleartext credentials because they may appear in SNI data. References: https://lynx.invisible-island.net/current/CHANGES.html#v2.9.0dev.9 https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991971
Created lynx tracking bugs for this issue: Affects: fedora-all [bug 1994999]
Created attachment 1815719 [details] Upstream patch Extracted from lynx 2.9.0dev.9.
This issue was caused by incorrect extraction of server host names from URLs for use during TLS/SSL connection handshakes. If URL contained userinfo part, i.e. authentication credentials, embedded in URLs as http://user:password@server.name, the extracted hostname included not only "server.name", but also the credentials part "user:password". This value was used during verification of server identity and would often cause verification to fail due to connection hostname not matching name stored in server certificate. Verification could still succeed for wild card certificates. The value was also included as part of the Server Name Indication (SNI) TLS extension data and sent unencrypted as part of the Client Hello packet during the TLS connection handshake. This is how authentication credentials could have been exposed to an attacker able to eavesdrop on the network connection between the lynx browser and the server. This issue did not affect lynx version in Red Hat Enterprise Linux 6, as SNI support was first added to lynx in version 2.8.7pre2: https://lynx.invisible-island.net/current/CHANGES.html#v2.8.7pre.2
Note that this issue can not be exploited by having a victim visit a malicious URL or page prepared by an attacker, as such URL or any link on such page would only contain credentials already known to an attacker. The issue is only relevant in cases when a user uses lynx to access some trusted URL with credentials included as part of the URL, e.g. by following such link form some "bookmark" page. Hence an information leak can only happen when victim performs a specific action that is out of attacker's control.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:2129 https://access.redhat.com/errata/RHSA-2022:2129
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-38165