*** This bug is a security vulnerability *** Public security bug reported:
Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in pacemaker, the following is details: 1. file : /pacemaker-1.1.6/lib/common/remote.c problem : Certificate chain verification is missing 2. file : /pacemaker-1.1.6/lib/common/remote.c problem : Hostname verification is missing More specifically , we can take hostname check for example, the function verify_certificate() can only guarantee the validity of the certificate but cannot guarantee that the host you are trying to connect is the one you intend to visit, which may lead to man-in-the-middle attack or other security issues. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, my email : [email protected] Thanks. ** Affects: pacemaker (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu High Availability Team, which is subscribed to pacemaker in Ubuntu. https://bugs.launchpad.net/bugs/1380038 Title: SSL problems: doesn't check certificate chain and hostname when ssl connecting Status in “pacemaker” package in Ubuntu: New Bug description: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in pacemaker, the following is details: 1. file : /pacemaker-1.1.6/lib/common/remote.c problem : Certificate chain verification is missing 2. file : /pacemaker-1.1.6/lib/common/remote.c problem : Hostname verification is missing More specifically , we can take hostname check for example, the function verify_certificate() can only guarantee the validity of the certificate but cannot guarantee that the host you are trying to connect is the one you intend to visit, which may lead to man-in-the- middle attack or other security issues. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, my email : [email protected] Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1380038/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-ha Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-ha More help : https://help.launchpad.net/ListHelp
