Re: CVE request - OkHttp Certificate Pining Bypass

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A vulnerability was discovered in OkHttp that allows an attacker to bypass
> certificate pinning. OkHttp did not validate that the pinned certificate
> was in the chain to a trusted certificate authority.
>
> This resulted in an attacker being able to present a certificate chain with
> a certificate issued by one trusted certificate authority, and additionally
> including the pinned certificate authority. Because the pinned certificate
> was present, and the certificate was issued by a trusted certificate
> authority, the server's certificate was accepted. However, it should not
> have been accepted as the pinned certificate was not in the trust chain.
>
> This allows an attacker to obtain a certificate from a non-pinned but
> trusted CA, then have OkHttp connect to that server, bypassing certificate
> pinning.

We found this wording to be somewhat confusing, but we believe we
understand what was meant, so the CVE ID is included below.

Essentially, we think "attacker being able to present a certificate
chain with a certificate issued by one trusted certificate authority,
and additionally including the pinned certificate authority" was
intended to state "attacker being able to present a certificate chain
with a certificate issued by one trusted certificate authority, and
additionally include the pinned certificate." The use of "including"
instead of "include" in that sentence seemed to imply that "including
the pinned certificate authority" was a phrase describing the server
end-entity certificate: that would not make sense.

Use CVE-2016-2402.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWxUAUAAoJEL54rhJi8gl5GcEP/iubChgKfa8SqskoVdCi9+P1
yBMrAZRqU2vfyiq+ZtLyr9K+0WbgliFot1RSxP/wXzvAt1zZo0dZyYsxdH6LhDi+
B6ACYVorpRxEsZ4U35wf1E892LRoeSXMDsjm//7vRvMkCssLanFtgcCO3sJ68uxe
URLFX+CsoJ82BsyqA4tm3HMQsfbSk6WN2pnf5ZkMy366FslbAkyR0PYM/kFfNBtm
Hd/J+M6lKzi5ZchxeeEX+h91iGkVg9HUcrvHyMwwR4nxnI0xCMscLoYrqbuacbe1
BCLW5+UYI1011soo5UBsbRXCRNAyL9JeMXmonpqPkXP41PlpOmFfwX7y+hCAzGnn
mW22iXY/YERYTKnote8VGaWxV0h6gthagyZWaY03AA/T4371aD+37xMzqKAAjWrO
3FuFo9B1ppYTjCmRRPHaQD5ccFJZmap1IWTsaHcJxEyNlHZ3YiyB5V2Nn8aZpSgC
1OoNodfBsC2fb+SkjXpEIpN8Aodw71ZQByFDjE65q20ZPYqbmUiOZgFlQ2mEYamO
EBv/LXxPKMRGC2vHSqkVu9qfh71s48bCKqhyz42HU0WnQyhsdgi0A2KdaVBBkDVz
81HTJUssP5UGoThf1xN5/y0nsHK0/VLhCV8oeEXd0WHiwrfzLARDiOrwhIDML0cD
o2JbErxSMlMhZSdwjTuU
=VVYc
-----END PGP SIGNATURE-----