[prev in list] [next in list] [prev in thread] [next in thread]
List: spamassassin-devel
Subject: [Bug 7092] New: Vulnerability for X509 Certificate Verification
From: bugzilla-daemon () bugzilla ! spamassassin ! org
Date: 2014-10-16 15:48:07
Message-ID: bug-7092-26 () https ! issues ! apache ! org/SpamAssassin/
[Download RAW message or body]
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7092
Bug ID: 7092
Summary: Vulnerability for X509 Certificate Verification
Product: Spamassassin
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Packaging: debian
Assignee: dev@spamassassin.apache.org
Reporter: jerryzh168@gmail.com
Hostname verification is an important step when verifying X509 certificates,
however, people tend to miss the step when using SSL/TLS, which might cause
severe man in the middle attack and break the entire TLS mechanism.
We believe that spamc didn't check whether the hostname matches the name in the
ssl certificate.
We found the vulnerability by static analysis, typically, a process of
verification involves calling a chain of API, and we can deduce whether the
communication process is vulnerable by detecting whether the process satisfies
a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for spamc:
[PDG]message_filter
[Found]SSL_connect()
[HASH] 3238387200 [LineNo]@ 1369[Kind]call-site[Char] SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_new() Found! --> [HASH] 2841348688 [LineNo]@
1367[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@
1211[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[Warning] No secure SSL_Method API found! Potentially vulnerable!!!
[PDG]message_tell
[Found]SSL_connect()
[HASH] 3756788397 [LineNo]@ 1717[Kind]call-site[Char] SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_new() Found! --> [HASH] 894746177 [LineNo]@
1715[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@
1211[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[Warning] No secure SSL_Method API found! Potentially vulnerable!!!
We don't have a POC because we didn't succeed in configuring this software or
don't know the way to verify the vulnerability. But through the analysis of the
source code, we believe it breaks the ssl certificate verfication protocol.
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
Also reported to launchpad at:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1380235
--
You are receiving this mail because:
You are the assignee for the bug.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic