Apache-SSL Client Certificate Forging

2004-02-06T08:23:38
ID OSVDB:3877
Type osvdb
Reporter OSVDB
Modified 2004-02-06T08:23:38

Description

Vulnerability Description

Apache-SSL contains a flaw that may permit a client to use real basic authentication to forge a client certificate. The flaw is present only when SSLVerifyClient is set to 1 or 3 and SSLFakeBasicAuth is set.

Technical Description

Apache-SSL 1.3.28+1.52 contains a flaw that may permit a client to use real basic authentication to forge a client certificitate. If Apache-SSL is configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.

The attacker needs to have the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the fixed password ("password" by default).

Solution Description

Upgrade to version Apache-SSL 1.3.29+1.53 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Apache-SSL contains a flaw that may permit a client to use real basic authentication to forge a client certificate. The flaw is present only when SSLVerifyClient is set to 1 or 3 and SSLFakeBasicAuth is set.

References:

Vendor URL: http://www.apache-ssl.org/ Vendor URL: http://www.apache-ssl.org/advisory-20040206.txt Secunia Advisory ID:10811 Other Advisory URL: http://archives.neohapsis.com/archives/fulldisclosure/2004-02/0257.html Nessus Plugin ID:12046 ISS X-Force ID: 15065 CVE-2004-0009 Bugtraq ID: 9590