*** This bug is a security vulnerability ***
Public security bug reported:
Hostname verification is an important step when verifying X509
certificates, however, people tend to miss the step when using SSL/TLS,
which might cause severe man in the middle attack and break the entire
TLS mechanism.
We believe that spamc didn't check whether the hostname matches the name
in the ssl certificate and the expired date of the certificate.
We found the vulnerability by static analysis, typically, a process of
verification involves calling a chain of API, and we can deduce whether the
communication process is vulnerable by detecting whether the process satisfies
a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File
We provide this result to help developers to locate the problem faster.
This is the result for spamc:
[PDG]message_filter
[Found]SSL_connect()
[HASH] 3238387200 [LineNo]@ 1369[Kind]call-site[Char]
SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_new() Found! --> [HASH] 2841348688 [LineNo]@
1367[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@
1211[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[Warning] No secure SSL_Method API found! Potentially vulnerable!!!
[PDG]message_tell
[Found]SSL_connect()
[HASH] 3756788397 [LineNo]@ 1717[Kind]call-site[Char]
SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_new() Found! --> [HASH] 894746177 [LineNo]@
1715[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@
1211[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
[Warning] No secure SSL_Method API found! Potentially vulnerable!!!
We don't have a POC because we didn't succeed in configuring this
software or don't know the way to verify the vulnerability. But through
the analysis of the source code, we believe it breaks the ssl
certificate verfication protocol.
for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
** Affects: spamassassin (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to spamassassin in Ubuntu.
https://bugs.launchpad.net/bugs/1380235
Title:
Potential Vulnerability for X509 Certificate Verification
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1380235/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
