Hostname check bypassing vulnerability in SSL client (CVE-2013-4073) (original) (raw)

Posted by nahi on 27 Jun 2013

A vulnerability in Ruby’s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority.

This vulnerability has been assigned the CVE identifier CVE-2013-4073.

Summary

Ruby’s SSL client implements hostname identity check but it does not properly handle hostnames in the certificate that contain null bytes.

Details

OpenSSL::SSL.verify_certificate_identity implements RFC2818 Server Identity check for Ruby’s SSL client but it does not properly handle hostnames in the subjectAltName X509 extension that contain null bytes.

Existing code in lib/openssl/ssl.rb uses OpenSSL::X509::Extension#valuefor extracting identity from subjectAltName. Extension#value depends on the OpenSSL function X509V3_EXT_print() and for dNSName of subjectAltName it utilizes sprintf() that is known as null byte unsafe. As a resultExtension#value returns ‘www.ruby-lang.org’ if the subjectAltName is ‘www.ruby-lang.org\\0.example.com’ andOpenSSL::SSL.verify_certificate_identity wrongly identifies the certificate as one for ‘www.ruby-lang.org’.

When a CA that is trusted by an SSL client allows to issue a server certificate that has a null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org\\0.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do a man-in-the-middle attack between Ruby’s SSL client and SSL servers.

Affected versions

Solution

All users are recommended to upgrade to Ruby 2.0.0-p247, 1.9.3-p448 or 1.8.7-p374.

Credit

This vulnerability has been found by William (B.J.) Snow Orvis and coordinated with security@ruby-lang.org by David Thiel from iSEC Partners.

History