Tuesday, October 02, 2007

[UNIX] Ruby Net::HTTPS Library Insufficent Validation of Server Certificate CN

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Ruby Net::HTTPS Library Insufficent Validation of Server Certificate CN
------------------------------------------------------------------------


SUMMARY

The Ruby Net::HTTP and Net::HTTPS library can be used to make HTTP or
HTTPS connections to remote websites. There are several methods for
performing these types of connections within the Ruby standard library but
the Net::HTTP library is recommended going forward.

A vulnerability results from the Net::HTTPS library failing to validate
the name on the SSL certificate agains the DNS name requested by the user.
By not validating the name, the library allows an attacker to present a
cryptographically valid certificate with an invalid CN.

DETAILS

Vulnerable Systems:
* Ruby version 1.8.5
* Ruby version 1.8.6
* Ruby version Trunk

The vulnerability is caused by the method connect within http.rb file
failing to call post_connection_check after the SSL connection has been
negotiated. Since the server certificates CN is not validated against the
requested DNS name, the attacker can impersonate the target server in a
SSL connection. The integrity and confidentiality benefits of SSL are
removed by this vulnerability.

Example:
If the application uses the following code to connect to the ip address of
https://www.citicards.com:

url = "192.193.222.24" #www.citicards.com IP
path = "/"
http = Net::HTTP.new(url, 443)
http.use_ssl = true
http.ca_file = "verisign.pem"
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
resp, data = http.get(path, nil)

The connection will succeed. This is an obvious failure as the
certificate presented has a CN of www.citicards.com.

One caveat is that
the attacker must possess a certificate signed by the CA specified in the
ca_file attribute.

Fix Information:
This issue has been addressed by adding the appropriate post connection
check within http.rb. These patches add the enable_post_connection
parameter, which if set to true, will cause the Net::HTTP library to raise
an exception when the post connection check fails.

The following trunk Ruby checkin contains the related changes:
<http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499>

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499


<http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500>

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500

Ruby 1.8.5:
<http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502>

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502

Ruby 1.8.6:
<http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504>

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504


ADDITIONAL INFORMATION

The information has been provided by <mailto:cclark@isecpartners.com>
Chris Clark.
The original article can be found at:
<http://www.isecpartners.com/advisories/2007-006-rubyssl.txt>

http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment