Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)

A vulnerability in Ruby’s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority.

This vulnerability has been assigned the CVE identifier CVE-2013-4073.

Summary

Ruby’s SSL client implements hostname identity check but it does not properly handle hostnames in the certificate that contain null bytes.

Details

OpenSSL::SSL.verify_certificate_identity implements RFC2818 Server Identity check for Ruby’s SSL client but it does not properly handle hostnames in the subjectAltName X509 extension that contain null bytes.

Existing code in lib/openssl/ssl.rb uses OpenSSL::X509::Extension#value for extracting identity from subjectAltName. Extension#value depends on the OpenSSL function X509V3_EXT_print() and for dNSName of subjectAltName it utilizes sprintf() that is known as null byte unsafe. As a result Extension#value returns ‘www.ruby-lang.org’ if the subjectAltName is ‘www.ruby-lang.org\0.example.com’ and OpenSSL::SSL.verify_certificate_identity wrongly identifies the certificate as one for ‘www.ruby-lang.org’.

When a CA that is trusted by an SSL client allows to issue a server certificate that has a null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org\0.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do a man-in-the-middle attack between Ruby’s SSL client and SSL servers.

Affected versions

  • All ruby 1.8 versions prior to ruby 1.8.7 patchlevel 374
  • All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 448
  • All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 247
  • prior to trunk revision 41671

Solution

All users are recommended to upgrade to Ruby 2.0.0-p247, 1.9.3-p448 or 1.8.7-p374.

Credit

This vulnerability has been found by William (B.J.) Snow Orvis and coordinated with security@ruby-lang.org by David Thiel from iSEC Partners.

History

  • Originally published at 2013-06-27 11:00:00 (UTC)