https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Bug ID: 1094440 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: vdanen@redhat.com CC: jkurik@redhat.com, mmaslano@redhat.com, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, ppisar@redhat.com, psabata@redhat.com
It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification. Judging by the commit [2], the intention was to disable only hostname verification for compatibility with Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0. This code was introduced in LWP::Protocol::https in version 6.04, so earlier versions are not vulnerable.
Potential patches [3],[4] are being discussed upstream [5].
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa58... [3] https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25ed3... [4] https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d853... [5] https://github.com/libwww-perl/lwp-protocol-https/pull/14
Statement:
This issue did not affect the versions of perl-libwww-perl as shipped with Red Hat Enterprise Linux 5 and 6.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1094441
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1094442
--- Comment #1 from Vincent Danen vdanen@redhat.com ---
Created perl-libwww-perl tracking bugs for this issue:
Affects: fedora-all [bug 1094442]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1094442 [Bug 1094442] perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://github.com/libwww-p | |erl/lwp-protocol-https/pull | |/14
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-3230
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|perl-libwww-perl: incorrect |CVE-2014-3230 |handling of SSL certificate |perl-libwww-perl: incorrect |verification |handling of SSL certificate | |verification
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #3 from Martin Prpic mprpic@redhat.com --- MITRE assigned CVE-2014-3230 to this issue:
http://seclists.org/oss-sec/2014/q2/256
^ also states that additional CVEs may be assigned later.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #5 from Petr Pisar ppisar@redhat.com --- Created attachment 893659 --> https://bugzilla.redhat.com/attachment.cgi?id=893659&action=edit Test case
This is an automated test. It requires openssl(1) and some Perl modules. It checks how HTTPS_CA_FILE environment variable influences LWP::UserAgent behavior regarding certificate verification.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #893659|0 |1 is obsolete| |
--- Comment #6 from Petr Pisar ppisar@redhat.com --- Created attachment 893881 --> https://bugzilla.redhat.com/attachment.cgi?id=893881&action=edit Test case
Quoting colon in the network address fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #7 from Petr Pisar ppisar@redhat.com --- Created attachment 894671 --> https://bugzilla.redhat.com/attachment.cgi?id=894671&action=edit Proposed fix (part 1)
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #8 from Petr Pisar ppisar@redhat.com --- Created attachment 894672 --> https://bugzilla.redhat.com/attachment.cgi?id=894672&action=edit Proposed fix (part 2)
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #9 from Petr Pisar ppisar@redhat.com --- Created attachment 894747 --> https://bugzilla.redhat.com/attachment.cgi?id=894747&action=edit Part 1 ported to 6.04
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #10 from Petr Pisar ppisar@redhat.com --- Created attachment 894748 --> https://bugzilla.redhat.com/attachment.cgi?id=894748&action=edit Part 2 ported to 6.04
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #11 from Petr Pisar ppisar@redhat.com --- Created attachment 895124 --> https://bugzilla.redhat.com/attachment.cgi?id=895124&action=edit Part3 for 6.04 to restore behavior in F19
This patch is needed for F19 only because there is old IO::Socket::SSL which still defaults to no peer certificate verification.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #12 from Fedora Update System updates@fedoraproject.org --- perl-LWP-Protocol-https-6.04-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
--- Comment #13 from Fedora Update System updates@fedoraproject.org --- perl-LWP-Protocol-https-6.04-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Bug 1094440 depends on bug 1094442, which changed state.
Bug 1094442 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1094442
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |medium Whiteboard|impact=important,public=201 |impact=moderate,public=2014 |40501,reported=20140501,sou |0501,reported=20140501,sour |rce=debian,cvss2=5.8/AV:N/A |ce=debian,cvss2=5.8/AV:N/AC |C:M/Au:N/C:P/I:P/A:N,fedora |:M/Au:N/C:P/I:P/A:N,fedora- |-all/perl-libwww-perl=affec |all/perl-libwww-perl=affect |ted,rhel-5/perl-libwww-perl |ed,rhel-5/perl-libwww-perl= |=notaffected,rhel-6/perl-li |notaffected,rhel-6/perl-lib |bwww-perl=notaffected,rhel- |www-perl=notaffected,rhel-7 |7/perl-libwww-perl=affected |/perl-libwww-perl=affected Severity|high |medium
--- Comment #14 from Tomas Hoger thoger@redhat.com --- (In reply to Vincent Danen from comment #0)
This issue did not affect the versions of perl-libwww-perl as shipped with Red Hat Enterprise Linux 5 and 6.
It should be noted that versions of perl-libwww-perl in Red Hat Enterprise Linux 6 do not perform SSL certificate verification by default (see bug 705044, including an example of how to enable certificate checks in IO::Socket::SSL in bug 705044 comment 7). The change to enable SSL verification by default was made upstream in version 6.0.
Upstream version 6.0 also introduced ways to control certificate verification:
- Via LWP::UserAgent ssl_opts attribute: http://search.cpan.org/dist/libwww-perl/lib/LWP/UserAgent.pm#ATTRIBUTES
These allow specifying a path to file (SSL_ca_file) or directory (SSL_ca_path) with CA certificates, and whether host name verification should be performed (verify_hostname). If these are not set in a script, environment variables are checked in the following order:
- PERL_LWP_SSL_* variables first, including: PERL_LWP_SSL_VERIFY_HOSTNAME, PERL_LWP_SSL_CA_FILE, and PERL_LWP_SSL_CA_PATH
- HTTPS_CA_* if PERL_LWP_SSL_* are not set: HTTPS_CA_FILE, and HTTPS_CA_DIR. When these are used, host name verification is automatically disabled (for backwards compatibility).
The problem here is that when host name verification is disabled, certificate verification is disabled as well (unless explicitly requested using IO::Socket::SSL's SSL_verify_mode). One such example is the use of HTTPS_CA_* environment variables.
LWP::UserAgent documentation is scarce and ambiguous in defining whether verify_hostname 0 is supposed to only disable hostname check, or all certificate checks. The code seems to assume all checks are disabled. However, that's not really compatible with the (undocumented) assumption that HTTPS_CA_* environment variables are meant to enable certificate checks and only disable hostname checks.
Note that use when certificate is checked without checking hostname is usually insecure, as malicious site can obtain SSL certificate from a trusted CA for a different name and still have it accepted as valid for different host.
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |0501,reported=20140501,sour |0501,reported=20140501,sour |ce=debian,cvss2=5.8/AV:N/AC |ce=debian,cvss2=5.8/AV:N/AC |:M/Au:N/C:P/I:P/A:N,fedora- |:M/Au:N/C:P/I:P/A:N,rhel-5/ |all/perl-libwww-perl=affect |perl-libwww-perl=notaffecte |ed,rhel-5/perl-libwww-perl= |d,rhel-6/perl-libwww-perl=n |notaffected,rhel-6/perl-lib |otaffected,rhel-7/perl-libw |www-perl=notaffected,rhel-7 |ww-perl=wontfix,fedora-all/ |/perl-libwww-perl=affected |perl-libwww-perl=affected Last Closed| |2015-11-27 10:12:13
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jrusnack@redhat.com Whiteboard|impact=moderate,public=2014 |impact=moderate,public=2014 |0501,reported=20140501,sour |0501,reported=20140501,sour |ce=debian,cvss2=5.8/AV:N/AC |ce=debian,cvss2=5.8/AV:N/AC |:M/Au:N/C:P/I:P/A:N,rhel-5/ |:M/Au:N/C:P/I:P/A:N,rhel-5/ |perl-libwww-perl=notaffecte |perl-libwww-perl=notaffecte |d,rhel-6/perl-libwww-perl=n |d,rhel-6/perl-libwww-perl=n |otaffected,rhel-7/perl-libw |otaffected,rhel-7/perl-libw |ww-perl=wontfix,fedora-all/ |ww-perl=wontfix,fedora-all/ |perl-libwww-perl=affected |perl-libwww-perl=affected,c | |we=CWE-295
perl-devel@lists.fedoraproject.org