Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Feb 2016 22:54:44 -0500 (EST)
From: cve-assign@...re.org
To: mmc@...areup.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - OkHttp Certificate Pining Bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A vulnerability was discovered in OkHttp that allows an attacker to bypass
> certificate pinning. OkHttp did not validate that the pinned certificate
> was in the chain to a trusted certificate authority.
> 
> This resulted in an attacker being able to present a certificate chain with
> a certificate issued by one trusted certificate authority, and additionally
> including the pinned certificate authority. Because the pinned certificate
> was present, and the certificate was issued by a trusted certificate
> authority, the server's certificate was accepted. However, it should not
> have been accepted as the pinned certificate was not in the trust chain.
> 
> This allows an attacker to obtain a certificate from a non-pinned but
> trusted CA, then have OkHttp connect to that server, bypassing certificate
> pinning.

We found this wording to be somewhat confusing, but we believe we
understand what was meant, so the CVE ID is included below.

Essentially, we think "attacker being able to present a certificate
chain with a certificate issued by one trusted certificate authority,
and additionally including the pinned certificate authority" was
intended to state "attacker being able to present a certificate chain
with a certificate issued by one trusted certificate authority, and
additionally include the pinned certificate." The use of "including"
instead of "include" in that sentence seemed to imply that "including
the pinned certificate authority" was a phrase describing the server
end-entity certificate: that would not make sense.

Use CVE-2016-2402.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWxUAUAAoJEL54rhJi8gl5GcEP/iubChgKfa8SqskoVdCi9+P1
yBMrAZRqU2vfyiq+ZtLyr9K+0WbgliFot1RSxP/wXzvAt1zZo0dZyYsxdH6LhDi+
B6ACYVorpRxEsZ4U35wf1E892LRoeSXMDsjm//7vRvMkCssLanFtgcCO3sJ68uxe
URLFX+CsoJ82BsyqA4tm3HMQsfbSk6WN2pnf5ZkMy366FslbAkyR0PYM/kFfNBtm
Hd/J+M6lKzi5ZchxeeEX+h91iGkVg9HUcrvHyMwwR4nxnI0xCMscLoYrqbuacbe1
BCLW5+UYI1011soo5UBsbRXCRNAyL9JeMXmonpqPkXP41PlpOmFfwX7y+hCAzGnn
mW22iXY/YERYTKnote8VGaWxV0h6gthagyZWaY03AA/T4371aD+37xMzqKAAjWrO
3FuFo9B1ppYTjCmRRPHaQD5ccFJZmap1IWTsaHcJxEyNlHZ3YiyB5V2Nn8aZpSgC
1OoNodfBsC2fb+SkjXpEIpN8Aodw71ZQByFDjE65q20ZPYqbmUiOZgFlQ2mEYamO
EBv/LXxPKMRGC2vHSqkVu9qfh71s48bCKqhyz42HU0WnQyhsdgi0A2KdaVBBkDVz
81HTJUssP5UGoThf1xN5/y0nsHK0/VLhCV8oeEXd0WHiwrfzLARDiOrwhIDML0cD
o2JbErxSMlMhZSdwjTuU
=VVYc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.