Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1410
Security Advisory - Apache Software Foundation - Apache HttpComponents
19 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache HttpComponents
Publisher: Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3577 CVE-2012-6153
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Advisory - Apache Software Foundation
Apache HttpComponents / hc.apache.org
Hostname verification susceptible to MITM attack
CVE-2014-3577 / CVSS 1.4
Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible
to a 'Man in the Middle Attack' due to a flaw in the default hostname
verification during SSL/TLS when a specially crafted server side
certificate is used.
Background
- - ----------
During an SSL connection (https) the client verifies the hostname in
the URL against the hostname as encoded in the servers certificate (CN,
subjectAlt fields). This is to ensure that the client connects to the
'real' server, as opposed to something in middle (man in the middle)
that may compromise end to end confidentiality and integrity.
Details
- - -------
The flaw is in the default Apache HttpComponents
org.apache.http.conn.ssl.AbstractVerifier
that is used in client mode for verification of hostname of the server
side certificate. It parsed the entire subject distinguished name (DN)
for the occurrence of any <CN=> substring (regardles of field).
Therefore a DN of with a O field such as
O="foo,CN=www.apache.orgâ€Â
and a CN of "www.evil.org†and ordered such that the O appears prior to
the CN field would incorrectly match match on the <www.apache.org> in
the O field as opposed to just the values in the CN and alternative
subject name(s).
The doctored field can be any field but the CN field itself; including
the <E> or emailAddress field as long as it appears before the CN (some
CAs reorder the DN).
A third party in posession of such a doctored certificate and who also
has the ability to intercept or reroute the traffic to a https server
under its control (e.g. through DNS doctoring or various forms of
traffic rerouting or spoofing) can thus perform a 'man in the middle'
attack and compromise end to end confidentiality and integrety.
Note that while some certificate authorities may be relatively strict
on what they allow in the various fields - most are NOT; and allow
for a relatively large amount of leeway in, for example, the OU
and E fields.
Impact:
- - -------
A man-in-the-middle can interpose itself between the server and the
code using an affected version of Apache HttpComponents as a client.
Leading to complete loss of end to end confidentiality and end to
end integrety of the connection.
Versions affected:
- - ------------------
All versions prior to HttpClient 4.3.5 (including the Android port)
and HttpAsyncClient 4.0.2. The fix was introduced in these versions.
http://search.maven.org/#artifactdetails|org.apache.httpcomponents|
httpclient|4.3.5|jar
http://search.maven.org/#artifactdetails|org.apache.httpcomponents|
httpasyncclient|4.0.2|jar
These have been silently pushed out to Maven central and Apache Dist
as of 2014-08-1. An Android build was released on 2014-08-15.
Resolution
- - ----------
A fix has been applied as of revision 1614065 and is part of release
HttpClient 4.3.5 (including HttpClient port for Android against the
official Google Android SDK)and HttpClient (async) 4.0.2.
Upgrading to these versions newer resolves this issue.
Mitigations and work arounds
- - ----------------------------
If upgrading to version 4.3.5/4.0.2 is not an option; one could change
the default org.apache.http.conn.ssl.AbstractVerifier of earlier
versions for revision 1614065 of newer.
Note that exploitation of this flaw also requires some level of DNS or
IP spoofing (or existing 'in the middle infrastructure' such as a corporate
proxy or other TCP level equipment en-route). This need may allow for site
specific alternative mitigations.
Reproducing the flaw
- - --------------------
If so required; the following statements will allow the testing of a
Apache HttpComponents client against a server with a thus crafted
certificate:
openssl req -new -x509 -keyout /dev/stdout \
-subj "/O=foo, CN=www.apache.org/CN=machine-domain-name/" \
-set_serial 86653 -nodes |\
openssl s_server -cert /dev/stdin -accept 8443 -www
and a Apache HttpComponents client that connects to
"https://www.apache.org:8443/" with the DNS entry for www.apache.org
pointing to the machine-domain-name.
Credits and timeline
- - --------------------
The flaw was found and reported by Subodh Iyengar <http://www.subodh.io>,
and Will Shackleton <http://www.shackleton.io/> from Facebook. It was
reported on the 23rd of July. A fix was applied by and released on
2014-08-01. An Android build was released on the 2014-08-15. This
security advisory fully discloses the issue and current insights known
to the Apache Software foundation (the vendor).
Apache would like to thank all involved for their help with this.
A similar issue was reported by Florian Weimer of Red Hat in 2012 and
was fixed by https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442#56.
It has now been assigned CVE-2012-6153.
Common Vulnerability Scoring (Version 2) and vector
- - ---------------------------------------------------
CVSS Base Score 5.8
Impact Subscore 4.9
Exploitability Subscore 8.6
CVSS Temporal Score 4.8
CVSS Environmental Score 1.4
Modified Impact Subscore 5.2
------------------------------
Overall CVSS Score 1.4
CVSS v2 Vector
AV:N/AC:M/Au:N/C:P/I:N/A:P/E:F/RL:OF/RC:C/CDP:L/TD:L/CR:H/IR:L/AR:L
1.09 / : 1692 $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4
Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact dirkx@webweaving.org
if you cannot read it.
iQCVAwUBU/G6hzGmPZbsFAuBAQLkagP9FRsLPSNhEZwRXUGisHuCfrxHofKmnGEj
JSCo/RW2C7GP4Bey4doAdayo2NuTnYWFzvhaQhYpeRt7SjX8H21pEOQF54cvJelN
JQogo1s5d2zLjwWQ8JnuVYIeqilSDrmrcHROzqcl8ea4DdH9nivYiFvsb7/EWOGO
UaLid6Sobqw=
=LkHu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU/KxYhLndAQH1ShLAQIU5BAAo6vaq2zmueSaPEpA9NLLDhRCkF/lgx7A
PcMwv24BRkQZVdZMrhAaOlh1hXM8p0V//+8/+8PrNOHTmTJN9eSdwVmm2gSC0gUT
QDaPkQXUstRZajT/cLCRQbBMoWWrq6n97+uRWVjDgXQ2maa/Mg3PE//hPaT0v3Eq
lG4A+os6bSy32dLnkNJ2LscezSS/cOqMHPW3WzCN5BjKYnuzlxxyspjRnUT1NwsK
5SNWu+fJkDnkC+czBPdxRBJM8Fv0giT0N7Hi0NxaU+UtCsvf6EZGuYq5dMCkOMYU
ZGNhN1Z2z3+ztJppujedQ1oHtsyLU8IAIMKMJHWovG9ToI0bNUMbS0hLianVAaQp
ycRdxQQl8Yc/CSoVCoRNyBZ4g2yElewYpk1EFjqPDMwuGqCqdk3IatM1LxXNFGoA
nKNj2o3UXgZ8o5HPiptKUVH9Sfwm+n6cFG6XwpDGnb94urC8rhe+4vH2/Z34PwCw
wvU1l2hEfeqKEuLV+fbAqTMNy1M6L1NKYSy2xa0Mr3fyZaf33KZLI5fG+LE5KMxN
O5osD78P1t23iOZNFehZKNqV1rEBRJl6FVf9h2xOEuQPidrbUHb4KlRs9JbVe6k0
kA77FMxKmEFs8BKKkwn5DB6Yv9zVQKkvPqo8OTsz4XFq/lOmBKo1pWgLu0iXqUiG
2Kf/vivXHuY=
=VAd0
-----END PGP SIGNATURE-----