Re: CVE request: hs-tls: Basic constraints vulnerability

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/30/2013 03:59 AM, Florian Weimer wrote:
> On 01/20/2013 01:32 PM, Salvatore Bonaccorso wrote:
>
> > For hs-tls (TLS/SSL implementation in haskell) it was announced
> > the following advisory[0]:
> >
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
Hi cafe,
> > this is a security advisory for tls-extra < 0.6.1 which are all 
> > vulnerable to bad certificate validation.
> >
> > Some part of the certificate validation procedure were missing 
> > (relying on the work-in-progress x509 v3 extensions), and because
> > of this anyone with a correct end-entity certificate can issue
> > certificate for any arbitrary domain, i.e. acting as a CA.
> >
> > This problem has been fixed in tls-extra 0.6.1, and I advise
> > everyone to upgrade as soon as possible.
> >
> > Despite a very serious flaw in the certificate validation, I'm
> > happy that the code is seeing some audits, and would want to
> > thanks Ertugrul S￶ylemez for the findings [1].
> >
> > [1] https://github.com/vincenthz/hs-tls/issues/29 
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
>
> >
> I believe an alternative description of the impact is:
> hs-tls-extras does not check the Basic Constraints attribute of a
> certificate in certificate chain procession, and any certificate is
> treated as a CA certificate, which means that anyone who has a
> valid certificate can use it to sign another one (with an arbitrary
> subject DN/domain name embedded into it) and have it accepted by
> hs-tls.  This eventually allows MITM attacks on TLS connections.
>
> Kurt, is this more to your liking? 8-)

Yup!

Please use CVE-2013-0243 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRCWeRAAoJEBYNRVNeJnmTYuwQANBYOXHg6tppHjpRDrhYrR6i
yv1MZahWRYRT1cYFiX6dG+6MwAqCtHtLOTaaN5bAGP2BviczTK/WuLdo6axAvR1P
83XCYk4ewxT+HHLwZXUAJHMmFQrEuplhe0FzpL2wuBquPQ4B9jBWz1+qfm4oR14H
2DGsI5rHiA88AKzDSf1QwaE/0SwEWplff8f4fvd3kU0wi044HzyuM9VKrkhkroWz
cHwX4rdJTEV1mTEr8O1myVpXF2tuMmzuzXFMYd42NuqzC1cv72upXJMnbWxq85QG
qEM2GozkTHeG5kBzqN1R9lAPEXcXhe8dXg6lTYp8XanTjyf5wHCrcV1T6jJhzDLA
nWM37ehcZ0vZwrTUhkoM9JSLHf/FSLObR9N1qQA8lbNcUn1VNXOelToIcdM84Mcr
RqBROOa8UX9fg8rMeE9akUxgTmEGHUhDKcWq5Tkf6J8l/EZEYON4JjRVf+n3Cw17
nrUJ93HnHO2S5AcUXohK12Uq3YfrWxR041fLkwUNH1aOQy2Xomc4T/86WTRw3BNc
aEEuwKiDu9O9tu5Fy8H/LfuX9geYjpg3i3OXwYzBy8LT87S2H5FvtmMFfCfKrVCR
+YCh8eJ4T6NimQQfZO5sez9SINyNLaccPnSCFYeMmnidIIjDgySVlDLQuY2kfpxL
dFY6FOh/+/fXtDnkaAmp
=DpBg
-----END PGP SIGNATURE-----