Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Aug 2021 15:26:09 -0500 (CDT)
From: Ariadne Conill <ariadne@...eferenced.org>
To: Axel Beckert <abe@...ian.org>
cc: Salvatore Bonaccorso <carnil@...ian.org>, oss-security@...ts.openwall.com, 
    Ariadne Conill <ariadne@...eferenced.org>, 991971@...s.debian.org, 
    lynx-dev@...gnu.org, security@...ian.org
Subject: Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL
 certificate validation -> leaks password in clear text via SNI (under some
 circumstances)

Hi,

On Sat, 7 Aug 2021, Axel Beckert wrote:

> Hi Salvatore, Dear Ariadne,
>
> Salvatore Bonaccorso wrote:
>>> This is more severe than it initially looked like: Due to TLS Server
>>> Name Indication (SNI) the hostname as parsed by Lynx (i.e with
>>> "user:pass@" included) is sent in _clear_ text over the wire even
>>> _before_ I can even said "n" for "no, don't continue to talk with this
>>> server" in Lynx's prompt as shown above.
> […]
>>> IMHO this nevertheless needs a CVE-ID.
>>
>> MITRE did assign CVE-2021-38165.
>
> Thanks Salvatore. I updated the debian/changelog entry for the next
> upload as well as the title of the Debian bug report.

+1, thanks for getting a CVE for this.

>> MITRE raised the question: Does 2.9.0dev.9 (mentioned on the
>> https://lynx.invisible-island.net/current/CHANGES.html page) fix the
>> entire problem?
>
> At this point a huge thanks to Thomas Dickey (Lynx upstream) for
> providing a fixed version so quickly!

I think 2.9.0dev.9 fixes the problem, even if the fix is, well, not the 
way I would do it.

>
>> https://www.openwall.com/lists/oss-security/2021/08/07/7 claims that
>> credentials appear in the HTTP Host header to an http:// (i.e.,
>> non-SSL) website.
>
> Indeed and a good point.
>
> Citing from Ariadne's mail:
>> The issue itself is far more severe: HTParse() does not understand
>> the authn part of the URI at all.
> […]
>> But it will also leak in the Host: header on unencrypted
>> connections, and also probably SSL ones too.
>
> But that looks to me as if Ariadne just refers to the code and hasn't
> actually checked it by trying it. Nevertheless thanks to Ariadne for
> having had a look and proposing a patch!

Yes, this was my guess since HTParse() doesn't understand the authn part. 
But this seems like a rather unfortunate design: parse the URI wrong, and 
then "fix" it later?  Why not just parse the URI right, to begin with?

So strange...

Ariadne

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.