[Ubuntu-ha] [Bug 1374730] Re: X509 certificate verification problem

Sun, 12 Oct 2014 05:36:49 -0700 

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
High Availability Team, which is subscribed to keepalived in Ubuntu.
https://bugs.launchpad.net/bugs/1374730

Title:
  X509 certificate verification problem

Status in “keepalived” package in Ubuntu:
  New

Bug description:
  Hostname verification is an important step when verifying X509
  certificates, however, people tend to miss the step when using
  SSL/TLS, which might cause severe man in the middle attack and break
  the entire TLS mechanism.

  We believe that keepalived didn't check whether the hostname matches
  the name in the ssl certificate and the expired date of the
  certificate.

  We found the vulnerability by static analysis, typically, a process of 
verfication involves calling a chain of API, and we can deduce whether the 
communication process is vulnerable by detecting whether the process satisfies 
a certain relation.
  The result format is like this:
  notice: Line Number@Method Name, Source File

  We provide this result to help developers to locate the problem
  faster.

  This is the result for keepalived:
  PDG]ssl_connect'1
        [Found]SSL_connect()
        [HASH] 1598777261 [LineNo]@ 211[Kind]call-site[Char] SSL_connect()[Src] 
/home/roca/workspace/codebase/code/ubuntu_pkg/keepalived/keepalived-1.2.2/keepalived/check/check_ssl.c
        [Warning] SSL_new() not found!
  [PDG]ssl_connect
        [Found]SSL_connect()
        [HASH] 2061808858 [LineNo]@ 107[Kind]call-site[Char] SSL_connect()[Src] 
/home/roca/workspace/codebase/code/ubuntu_pkg/keepalived/keepalived-1.2.2/genhash/ssl.c
        [Warning] SSL_new() not found!

  
  We don't have a POC because we didn't succeed in configuring this software or 
don't know the way to verify the vulnerability. But through the analysis of the 
source code, we believe it breaks the ssl certificate verfication protocol.

  for more information about the importance of checking hostname:
  see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/keepalived/+bug/1374730/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help   : https://help.launchpad.net/ListHelp

Reply via email to