** Description changed: - Hostname verification is an important step when verifying X509 - certificates, however, people tend to miss the step when using SSL/TLS, - which might cause severe man in the middle attack and break the entire - TLS mechanism. - - We believe that keepalived didn't check whether the hostname matches the - name in the ssl certificate and the expired date of the certificate. + When using OpenSSL, one needs to follow a certain process to ensure the + verification of the certificate is successful. But we believe that + keepalived didn't follow the correct process of verifying X509 + certificate which makes certain attacks possible. We found the vulnerability by static analysis, typically, a process of verfication involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation. The result format is like this: notice: Line Number@Method Name, Source File We provide this result to help developers to locate the problem faster. This is the result for keepalived: PDG]ssl_connect'1 - [Found]SSL_connect() - [HASH] 1598777261 [LineNo]@ 211[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/keepalived/keepalived-1.2.2/keepalived/check/check_ssl.c - [Warning] SSL_new() not found! + [Found]SSL_connect() + [HASH] 1598777261 [LineNo]@ 211[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/keepalived/keepalived-1.2.2/keepalived/check/check_ssl.c + [Warning] SSL_new() not found! [PDG]ssl_connect - [Found]SSL_connect() - [HASH] 2061808858 [LineNo]@ 107[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/keepalived/keepalived-1.2.2/genhash/ssl.c - [Warning] SSL_new() not found! + [Found]SSL_connect() + [HASH] 2061808858 [LineNo]@ 107[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/keepalived/keepalived-1.2.2/genhash/ssl.c + [Warning] SSL_new() not found! - - We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol. + We don't have a POC because we didn't succeed in configuring this + software or don't know the way to verify the vulnerability. But through + the analysis of the source code, we believe it breaks the ssl + certificate verfication protocol. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1374730 Title: X509 certificate verification problem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keepalived/+bug/1374730/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
