1 fetchmail-SA-2009-01: Improper SSL certificate subject verification
3 Topics: Improper SSL certificate subject verification
5 Author: Matthias Andree
8 Type: Allows undetected Man-in-the-middle attacks against SSL/TLS.
9 Impact: Credential disclose to eavesdroppers.
11 CVSSv2 vectors: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (E:H/RL:OF/RC:C)
13 CVE Name: CVE-2009-2666
14 URL: http://www.fetchmail.info/fetchmail-SA-2009-01.txt
15 Project URL: http://www.fetchmail.info/
17 Affects: fetchmail releases up to and including 6.3.10
19 Not affected: fetchmail release 6.3.11 and newer
21 Corrected: 2009-08-04 fetchmail SVN (rev 5389)
23 References: "Null Prefix Attacks Against SSL/TLS Certificates",
24 Moxie Marlinspike, 2009-07-29, Defcon 17, Blackhat 09.
26 CVE-2009-2408, Mozilla Firefox <3.5 and NSS <3.12.3
27 improper handling of '\0' characters in domain names in
28 the Subject CN field of X.509 certificates.
34 2009-08-05 0.1 first draft (visible in SVN)
35 2009-08-06 1.0 first release
41 fetchmail is a software package to retrieve mail from remote POP2, POP3,
42 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
43 message delivery agents. It supports SSL and TLS security layers through
44 the OpenSSL library, if enabled at compile time and if also enabled at
48 2. Problem description and Impact
49 =================================
51 Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
52 certificates that contain embedded NUL characters in the Common Name or
53 subjectAltName fields of ITU-T X.509 certificates. Applications what
54 would treat such strings in X.509 as NUL-terminated C strings (rather
55 than strings that contain an explicit length field) would only
56 check the part up to and excluding the NUL character, so that
57 certificate names such as www.good.example\0www.bad.example.com would be
58 mistaken as a certificate name for www.good.example. The CA however
59 would usually sign example.com and not care about the subdomain.
65 There are two alternatives, either of them by itself is sufficient:
67 a. Apply the patch found in section B of this announcement to
68 fetchmail 6.3.10, recompile and reinstall it.
70 b. Install fetchmail 6.3.11 or newer after it will have become available.
71 The fetchmail source code is always available from
72 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
78 Obtain the server fingerprints through a separate secure channel and
79 configure them with the sslfingerprint option, and enable the sslcertck
83 A. Copyright, License and Warranty
84 ==================================
86 (C) Copyright 2009 by Matthias Andree, <matthias.andree@gmx.de>.
89 This work is licensed under the Creative Commons
90 Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
91 To view a copy of this license, visit
92 http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
97 SAN FRANCISCO, CALIFORNIA 94105
101 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
102 Use the information herein at your own risk.
105 B. Patch to remedy the problem
106 ==============================
108 Note that when taking this from a GnuPG clearsigned file, the lines
109 starting with a "-" character are prefixed by another "- " (dash +
110 blank) combination. Either feed this file through GnuPG to strip them,
111 or strip them manually.
113 Whitespace differences can usually be ignored by invoking "patch -l",
114 so try this if the patch does not apply.
118 ===================================================================
122 report(stderr, GT_("Bad certificate: Subject CommonName too long!\n"));
125 + if ((size_t)i > strlen(buf)) {
126 + /* Name contains embedded NUL characters, so we complain. This is likely
127 + * a certificate spoofing attack. */
128 + report(stderr, GT_("Bad certificate: Subject CommonName contains NUL, aborting!\n"));
131 if (_ssl_server_cname != NULL) {
133 char *p2 = _ssl_server_cname;
134 @@ -643,11 +649,18 @@
135 * first find a match among alternative names */
136 gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
139 - for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
140 - const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
142 + for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
143 + const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
144 if (gn->type == GEN_DNS) {
145 char *p1 = (char *)gn->d.ia5->data;
146 char *p2 = _ssl_server_cname;
147 + /* Name contains embedded NUL characters, so we complain. This
148 + * is likely a certificate spoofing attack. */
149 + if ((size_t)gn->d.ia5->length != strlen(p1)) {
150 + report(stderr, GT_("Bad certificate: Subject Alternative Name contains NUL, aborting!\n"));
151 + sk_GENERAL_NAME_free(gens);
154 if (outlevel >= O_VERBOSE)
155 report(stderr, "Subject Alternative Name: %s\n", p1);
157 END OF fetchmail-SA-2009-01.txt