Vigil@nce - Apache HttpComponents HttpClient: validation incorrecte de certificat
August 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create an SSL certificate which wille be wrongly
validated by Apache HttpComponents HttpClient, in order to capture
traffic and bypass encryption.
Impacted products: Apache HttpClient, RHEL
Severity: 1/4
Creation date: 18/08/2014
DESCRIPTION OF THE VULNERABILITY
The HttpClient library can manage HTTP connections over SSL.
In order to authenticate a server, the client must check the
certificate (cryptographic signatures, validity date range, etc.)
and also that the received certificate matches the visited server.
This check is usually done on DNS names, or sometimes on IP
addresses. However, instead of looking the exact field
subjectAltName or, for compatibility, the commonName field, the
library looks fro a substring that matches the targeted server
name.
This vulnerability is a variant of VIGILANCE-VUL-12182
(https://vigilance.fr/tree/1/12182?w=66901).
An attacker can therefore create an SSL certificate which will be
wrongly validated by Apache HttpComponents HttpClient, in order to
capture traffic and bypass encryption.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN