Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu,  9 Jun 2016 13:52:49 -0400 (EDT)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: ruby openssl hostname verification issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> This probably warrants a CVE:
> 
> https://github.com/ruby/openssl/issues/8

We are not sure exactly what issue you believe should have a CVE ID,
There seem to be three issues that are somewhat related. Our short
answer is "probably there shouldn't be a CVE ID - the main concern was
that the documentation needed to be improved, and the vendor instead
decided to change the API semantics and break one (rare) use case."

Here's some discussion of the three issues.

> VERIFY_PEER only checks the cert chain is rooted in the local
> truststore. It does not check if the subject is valid in and of
> itself.

One might argue that this behavior should have a CVE ID because it is
not properly documented. Some users might have guessed that
VERIFY_PEER did validate the subject, because it is very rare for
anyone to want to establish only that a certificate is rooted in the
local truststore, with any arbitrary subject.

Other products, such as libcurl, have a similarly named option with
the same behavior, but with explicit documentation, e.g.,

  https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
  "Authenticating the certificate is not enough to be sure about the
  server. You typically also want to ensure that the server is the
  server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST for
  that."

However, there apparently isn't an analogous OpenSSL::SSL::VERIFY_HOST
for Ruby.

Still, our initial thought is that underdocumenting
OpenSSL::SSL::VERIFY_PEER, by itself, should not have a CVE ID. Users
may be able to realize, possibly from their knowledge of libcurl, that
an option called VERIFY_PEER or VERIFYPEER is typically insufficient.


> My understanding is the ssl_socket.post_connection_check(hostname) method
> must be called to ensure the subject is correctly verified. However,
> communication is allowed to remote services without verifying the subject.

Here, maybe the problem is a race condition. In other words, there is
inherently a time window in which communication can occur with an
unexpected host. Possibly, in most common scenarios in which the
application author did understand the post_connection_check
documentation, nothing security-relevant happens in this time window,
e.g., a client would not be sending requests to a server before the
post_connection_check step. However, there may be uncommon scenarios
where something security-relevant can happen in this time window.

Do you believe that these uncommon scenarios actually occur, and
therefore this race condition should have a CVE ID?


> I would suggest throwing an exception if VERIFY_PEER is configured and
> I/O is attempted without first calling post_connection_check

Here, you seem to be suggesting that VERIFY_PEER is never sufficient
in any scenario. This seems to be equivalent to suggesting that the
libcurl choice of using CURLOPT_SSL_VERIFYPEER without
CURLOPT_SSL_VERIFYHOST is always wrong, and should not even be
possible in the libcurl API.

Do you believe that there should be a CVE ID, in general, for "the
product needlessly offers a way to skip subject validation"?

(We don't know all of the use cases for skipping subject validation.
We think that it is typically useful only within isolated networks.
For example, consider a scenario where the local truststore recognizes
exactly one CA, this CA has only ever issued one certificate, and the
certificate happens to have an arbitrary subject, but is intentionally
used on multiple intranet HTTPS servers that are trusted by the same
intranet clients. Here, subject validation doesn't really help anyone,
and mandating subject validation would break this use case.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXWawKAAoJEHb/MwWLVhi2tgkP/2xjIkd96YWn0dYlo0XWD00s
9rdCsybI7FffGljxN0eioA33cAGbZ7Xw6OHjQMfjuV6V9eprWwjFQvRKmO/5nJcI
Wqw24KonYbeoNwYZVMcESfKMefPitEUFf2FYs1blo4PoEJx+3bOUvpnA2576f11k
f5mBX3GIj5SoRzxr5f3gQfVW/CZfvJgeVEmb7g/I868kXOeNPR78/OIGogj96s9v
4bOFg7nAd20uHTKScKl82Gh5VcuL4ZWaKJhVGmdC6AH/7YTLIWbFNwKWv/LhZTzl
YxBl/FfZG6M1glRpqDUnIEGj0EEtA0EyTUxrtNrL0nVxxh6ZyowEAH8wlNsFuwuU
KsKC7JJsrPtG+SxMXwdc10jDvUufS1XPPvm1KVOEy/MRRLWYcxlPKOGM3SD/Pchw
qijozFYx59ORKg47NUVKOzvahan1GLoDXKaxXQZzN7ll6PwiKsFpEGBPbNQEsuBq
gUMuws4UC1g5yD2p0RreC2X4S0EXA0MbdGo0ovIYH/C1uhJdooIQt6UvajVa9X3X
0NFnvpJuj3q+dxWD8H0BwVvg9CQTeFslD04ZMJND1TeXJWYBMElIVgDc8Bc0IYzw
SRjEyqX5GK9qXiR/VOW+XhHzcRkY8Rd6n+M8timCOjqIGWu9bOhVLtKovbnudM4L
9tJEbPydeJGuvSmiEkTS
=KqPE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.