Bugzilla – Bug 915323
VUL-0: CVE-2015-0210: wpa_supplicant: broken certificate subject check
Last modified: 2018-12-14 07:50:24 UTC
rh#1178921 It was reported [1] that wpa_supplicant does not properly check certificate subject name, which might lead to "man in the middle" attack. Relevant part of the original report: ... wpa_supplicant, linked against openssl performs this check: if (depth == 0 && match && os_strstr(buf, match) == NULL) { wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not " "match with '%s'", buf, match); preverify_ok = 0; openssl_tls_fail_event(conn, err_cert, err, depth, buf, "Subject mismatch", TLS_FAIL_SUBJECT_MISMATCH); } strstr() is vulnerable to extension attack, for instance, one would like to match on /CN=wireless.nikhef.nl, but explicitly not match on wireless.nikhef.nl.honestachmed.tr. There is no way to implement a secure EAP-TTLS/PEAP configuration using public certificates this way. When linked against GnuTLS, the problem is even worse: if (i == 0) { /* TODO: validate subject_match and altsubject_match */ } Now, it is current best practice to run EAP-TTLS/PEAP with public certificates, because on Windows, this automatically pins the CN and CA from the certificate. ... References: [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1178263 https://bugzilla.redhat.com/show_bug.cgi?id=1178921 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0210
Gary is also maintainer on older products.
bugbot adjusting priority
well, the patches from RH basically are: 0013-rh1178263-CVE-2015-0210-domain_match.patch and 0014-rh1178263-CVE-2015-0210-cert_in_cb.patch the first one adds the "domain_match" config option. Our version 2.2 already had "domain_suffix_match". I've adapted the patch, now we should actually have both, "domain_match" and "domain_suffix_match" acting as the naming implies. submitting as soon as it builds.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60983
ping! We need the submissions for SLE-11-SP2
after a long discussion with upstream, the bug was marked as invalid. Plese check https://bugzilla.gnome.org/show_bug.cgi?id=341323#c28 for more information.
SUSE-SU-2015:1013-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 900611,915323,927558 CVE References: CVE-2014-3686,CVE-2015-0210,CVE-2015-1863 Sources used: SUSE Linux Enterprise Server 12 (src): wpa_supplicant-2.2-8.1 SUSE Linux Enterprise Desktop 12 (src): wpa_supplicant-2.2-8.1
https://bugzilla.gnome.org/show_bug.cgi?id=341323#c29 Looks like this is still going.
combined with the other set of fixes. created request id 76374 this has now: ------------------------------------------------------------------- Thu May 7 17:10:30 CEST 2015 - ro@suse.de - added patch for bnc#930077 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch ------------------------------------------------------------------- Wed Apr 22 12:13:26 CEST 2015 - ro@suse.de - add changes for bnc#915323: - added wpa_supplicant-tls-domain-suffix.patch to support the domain_suffix_match option (prereq for following changes) based on original git commit from Oct 6th 2013 01f809c7db3c2afcb3ed8c2af91f303a0cbee8a1 - added wpa_supplicant-cert_in_cb.patch to add the option to write the server cert chain to a file based on original git commit from Sep 17th 2011 1b414f59fc46b8c88e606de122debf69e8b5faa8 and parts of 4f525d8e5bc6ea89062d70044ee583f11af4126b - added 0013-rh1178263-CVE-2015-0210-domain_match.patch this adds the "domain_match" config option from upstream - added 0014-rh1178263-CVE-2015-0210-cert_in_cb.patch (include peer certificate always in EAP events by default, can be disabled with cert_in_cb=0)
okay ... CVE-2015-1863 is not applicable for the 11-sp2 variant CVE-2014-3686 was already listed. CVE-2015-0210 was only there as part of a string, added hope it's correct now.
SUSE-SU-2018:1659-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 915323 CVE References: CVE-2015-0210 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): wpa_supplicant-0.7.1-6.18.6.1
Fixed for all current codestreams.