You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2014/10/16 17:48:07 UTC

[Bug 7092] New: Vulnerability for X509 Certificate Verification

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7092

            Bug ID: 7092
           Summary: Vulnerability for X509 Certificate Verification
           Product: Spamassassin
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Packaging: debian
          Assignee: dev@spamassassin.apache.org
          Reporter: jerryzh168@gmail.com

Hostname verification is an important step when verifying X509 certificates,
however, people tend to miss the step when using SSL/TLS, which might cause
severe man in the middle attack and break the entire TLS mechanism.

We believe that spamc didn't check whether the hostname matches the name in the
ssl certificate.

We found the vulnerability by static analysis, typically, a process of
verification involves calling a chain of API, and we can deduce whether the
communication process is vulnerable by detecting whether the process satisfies
a certain relation.
The result format is like this:
notice: Line Number@Method Name, Source File

We provide this result to help developers to locate the problem faster.

This is the result for spamc:
[PDG]message_filter
 [Found]SSL_connect()
 [HASH] 3238387200 [LineNo]@ 1369[Kind]call-site[Char] SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_new() Found! --> [HASH] 2841348688 [LineNo]@
1367[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@
1211[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [Warning] No secure SSL_Method API found! Potentially vulnerable!!!
[PDG]message_tell
 [Found]SSL_connect()
 [HASH] 3756788397 [LineNo]@ 1717[Kind]call-site[Char] SSL_connect()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_new() Found! --> [HASH] 894746177 [LineNo]@
1715[Kind]call-site[Char] SSL_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [INFO] API SSL_CTX_new() Found! --> [HASH] 1784966074 [LineNo]@
1211[Kind]call-site[Char] SSL_CTX_new()[Src]
/home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c
 [Warning] No secure SSL_Method API found! Potentially vulnerable!!!

We don't have a POC because we didn't succeed in configuring this software or
don't know the way to verify the vulnerability. But through the analysis of the
source code, we believe it breaks the ssl certificate verfication protocol.

for more information about the importance of checking hostname:
see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

Thanks.

Also reported to launchpad at:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1380235

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7092] Vulnerability for X509 Certificate Verification

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7092

--- Comment #1 from Mark Martinec <Ma...@ijs.si> ---
Jerry,

I very much appreciate your effort to analyze the spamc client program,
to dig up this lack of verification issue, and to let us know about it!

Don't know how often such setup is still in use nowadays: having clients
connect over untrusted network to a central spamd server. Also there
are probably easier ways to read people's mail or tamper with it
within an organization. A common setup today is to run SpamAssassin
tightly coupled with an MTA, communicating over a Unix socket or over
a loopback interface.

It would certainly be valuable to fix the problem, or just disable the
feature if it turns out that few people still care about it. I hope
somebody will jump in and address this potential man-in-the middle
threat (I'm not volunteering). In the least, issuing a public notice
may be in order.

-- 
You are receiving this mail because:
You are the assignee for the bug.