Arch LinuxASA-201504-13ruby: permissive certificate verification
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.02 Low
EPSS
Percentile
87.6%
After reviewing RFC 6125 and RFC 5280, multiple violations were found of
matching hostnames and particularly wildcard certificates.
Ruby’s OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by these
RFCs. In particular, matching of more than one wildcard per subject/SAN
is no-longer allowed. As well, comparison of these values are now
case-insensitive.
This change will take affect Ruby’s
OpenSSL::SSL#verify_certificate_identity behavior.
Specifically:
- Only one wildcard character in the left-most part of the hostname is
allowed. - IDNA names can now only be matched by a simple wildcard (e.g.
‘*.domain’). - Subject/SAN should be limited to ASCII characters only.
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.02 Low
EPSS
Percentile
87.6%