[Java] CWE-295 - Incorrect Hostname Verification - MitM #108
Comments
|
Hey @intrigus-lgtm |
|
Hi @intrigus-lgtm ... as Nico mentioned above, for this submission to be accepted under the Bug Slayer category it requires multiple CVE (it's actually 4, not 3) to be triaged as a direct result of your query findings as per https://securitylab.github.com/bounties ... for reference, this submission received award under the "All For One" category already. Do you expect to update this issue with your CVE findings still? If so we'll leave the issue open until we receive your CVE listings. |
|
Still waiting for some confirmations. |
|
Just a heads up that I'm still waiting... |
|
Found another one: 1 CVE, 1 issue which currently lacks a CVE, so two are missing for the bounty :) |
|
CVE-2020-26234 has just been assigned 🎉 |
|
Hi @intrigus-lgtm. I hope you don't mind, I am going to take this out of our bounty pipeline for now. Please go ahead and resubmit it when you get the extra CVEs. |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
|
CVE-2020-17514 has been assigned, although it still is reserved i.e. not public. |
|
Ok, great. Do you have a 4th CVE in the pipeline too, or is it 3 total for the time being? |
|
I have 1 open github security advisory and created 2 issues asking maintainers to open an advisory so I can privately disclose the issues to them. |
|
If they don't have contact info in |
|
I'm going to close the issue as Kevin said. Feel free to re-open it when ready. |
|
[PRODUCT]: Apache Fineract Fix-link:apache/fineract@e054a6f#diff-1d795f6e046aa3b856186409a7330109723169f9eade25374ba76efe23acdec9 @JarLob please reopen :) |
|
Is it the correct reference? The description is "ProcessorHelper error handling can lead to NullPointerException". Was the CVE-2020-17514 requested by Apache or you? Did they change their minds? |
|
The reference is correct. |
|
Your submission is now in status FP Check. For information, the evaluation workflow is the following: |
|
Your submission is now in status CodeQL review. For information, the evaluation workflow is the following: |
|
Your submission is now in status SecLab finalize. For information, the evaluation workflow is the following: |
|
Your submission is now in status Pay. For information, the evaluation workflow is the following: |
|
Thank you! |
|
Created Hackerone report 1219493 for bounty 309996 : [108] [Java] CWE-295 - Incorrect Hostname Verification - MitM |
|
Your submission is now in status Closed. For information, the evaluation workflow is the following: |
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
CVEs pending
No CVE for this one:
https://github.com/laurent-clouet/sheepit-client/pull/240/files
This instance would not have been found by this query.
That is not a fault of the query, but
sheepit-clientuses Lombok which seems to not work well with LGTM.This "hack" should fix it.
sheepit-clientis the client for a distributed Blender render farm, based on people giving their computer power for free.The MitM vulnerability would have allowed an attacker to execute code by changing the Blender file to contain dangerous python code.
Normally python code is disabled from running, but this value is sent by the server and so the attacker could override this as well.
This means that an attacker could execute arbitrary code.
CVE-2020-13955
CVE-2020-26234
CVE-2020-17514
The vulnerable class is used for example here which seems to be used for sending SMS.
I'm not 100 % sure (found this issue more than half a year ago...), but I think the SMS was used to send OTP tokens, although I did not really verify the OTP token part.
CVE-2021-21385 (GHSA-9657-33wf-rmvx)
Note that the fixed code is written in Kotlin; the app has recently been converted to a Kotlin app and the issue has been found in the semantically equivalent Java version.
Report
Hostname verification is an essential part of Transport Layer Security (TLS) and HTTPS.
When a TLS connection is established there are two important steps:
First, the chain of trust is verified that means it is checked whether the certificate has been issued by a trusted certificate authority.
Second, the hostname (that is being connected to) needs to be verified against the certificate.
That means it is checked whether the certificate is actually for the hostname.
If the hostname is not verified an attacker could present any certificate with a valid chain of trust, but that is not issued for the hostname at all.
This allows a man-in-the-middle attack!
Many posts tell developers that have problems with hostname verification to accept any certificate as valid in the case of a mismatch.
These problems usually are configuration problems that should be fixed instead.
Java verifies HTTPS hostnames by default.
But when a protocol uses TLS (SSLEngine) the hostname is not verified by default.
That's where the second part of my query (IncorrectHostnameVerifier.ql) comes into play.
[This PR and PR description is WIP]
87 of 642 projects tested have overridden the
Hostname.verifymethod.Query: github/codeql#3581
27 of 642 projects are detected by my currently running query.
The text was updated successfully, but these errors were encountered: