Potential Vulnerability for X509 Certificate Verification

Bug #1380235 reported by Jerry Zhang
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
spamassassin (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism.

We believe that spamc didn't check whether the hostname matches the name in the ssl certificate.

We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File

We provide this result to help developers to locate the problem faster.

This is the result for spamc:
[PDG]message_filter
 [Found]SSL_connect()
 [HASH] 3238387200 [LineNo]@ 1369[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_new() Found! --> [HASH] 2841348688 [LineNo]@ 1367[Kind]call-site[Char] SSL_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@ 1211[Kind]call-site[Char] SSL_CTX_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [Warning] No secure SSL_Method API found! Potentially vulnerable!!!
[PDG]message_tell
 [Found]SSL_connect()
 [HASH] 3756788397 [LineNo]@ 1717[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_new() Found! --> [HASH] 894746177 [LineNo]@ 1715[Kind]call-site[Char] SSL_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@ 1211[Kind]call-site[Char] SSL_CTX_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [Warning] No secure SSL_Method API found! Potentially vulnerable!!!

We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol.

for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

Thanks.

Jerry Zhang (jerryzh168)
information type: Private Security → Public Security
Jerry Zhang (jerryzh168)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting a bug in Ubuntu. Has this issue been files/forwarded upstream?

Changed in spamassassin (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for spamassassin (Ubuntu) because there has been no activity for 60 days.]

Changed in spamassassin (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.