Potential Vulnerability for X509 Certificate Verification

Bug #1380231 reported by Jerry Zhang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nagios-plugins (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism.

We believe that nagios-plugins-basic didn't check whether the hostname matches the name in the ssl certificate.

We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File

We provide this result to help developers to locate the problem faster.

This is the result for nagios-plugins-basic:
[PDG]np_net_ssl_init_with_hostname
 [Found]SSL_connect()
 [HASH] 2965878942 [LineNo]@ 60[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
 [INFO] API SSL_new() Found! --> [HASH] 3737899610 [LineNo]@ 54[Kind]call-site[Char] SSL_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
 [INFO] API SSL_CTX_new() Found! --> [HASH] 26244883 [LineNo]@ 50[Kind]call-site[Char] SSL_CTX_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
 [INFO] API SSLv23_client_method() Found! --> [HASH] 1523132904 [LineNo]@ 50[Kind]call-site[Char] SSLv23_client_method ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
 [INFO] API SSL_get_peer_certificate() Found! --> [HASH] 316360603 [LineNo]@ 107[Kind]call-site[Char] SSL_get_peer_certificate()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c
 [Warning] No SSL_get_peer_certificate() && SSL_get_verify_result() APIs found! Potentially vulnerable!!!

We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol.

for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

Thanks.

Jerry Zhang (jerryzh168)
information type: Private Security → Public Security
Jan Wagner (waja)
information type: Public Security → Public
Revision history for this message
Jan Wagner (waja) wrote :

Right from the plugins documentation (--help) of the plugins:

 Please note that this plugin does not check if the presented server
 certificate matches the hostname of the server, or if the certificate
 has a valid chain of trust to one of the locally installed CAs.

The question now is, how do you come to the conclusion, that the plugins "didn't check ... the expired date of the certificate."?

Revision history for this message
Jerry Zhang (jerryzh168) wrote :

Thanks for your reply.

Sorry, I don't think that we can reach this conclusion from the analysis. I've deleted that in the report now. This happens because we are using a template to report this kind of problems.

But about checking the hostname, are you going to act on it or you have a reason for not doing so?

description: updated
Revision history for this message
Jan Wagner (waja) wrote :

Upstream is accepting PullRequest for such features to implement that in general for all those ssl/tls capable checks as an option.
More details about contributing can be found at: https://www.monitoring-plugins.org/development.html

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.