Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

Related Vulnerabilities: CVE-2021-38165  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Ariadne Conill &lt;ariadne () dereferenced org&gt;

Date: Sat, 7 Aug 2021 15:26:09 -0500 (CDT)

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,

On Sat, 7 Aug 2021, Axel Beckert wrote:

Hi Salvatore, Dear Ariadne,

Salvatore Bonaccorso wrote:
This is more severe than it initially looked like: Due to TLS Server
Name Indication (SNI) the hostname as parsed by Lynx (i.e with
"user:pass@" included) is sent in _clear_ text over the wire even
_before_ I can even said "n" for "no, don't continue to talk with this
server" in Lynx's prompt as shown above.
[…]
IMHO this nevertheless needs a CVE-ID.

MITRE did assign CVE-2021-38165.

Thanks Salvatore. I updated the debian/changelog entry for the next
upload as well as the title of the Debian bug report.

+1, thanks for getting a CVE for this.

MITRE raised the question: Does 2.9.0dev.9 (mentioned on the
https://lynx.invisible-island.net/current/CHANGES.html page) fix the
entire problem?

At this point a huge thanks to Thomas Dickey (Lynx upstream) for
providing a fixed version so quickly!

I think 2.9.0dev.9 fixes the problem, even if the fix is, well, not the 
way I would do it.

https://www.openwall.com/lists/oss-security/2021/08/07/7 claims that
credentials appear in the HTTP Host header to an http:// (i.e.,
non-SSL) website.

Indeed and a good point.

Citing from Ariadne's mail:
The issue itself is far more severe: HTParse() does not understand
the authn part of the URI at all.
[…]
But it will also leak in the Host: header on unencrypted
connections, and also probably SSL ones too.

But that looks to me as if Ariadne just refers to the code and hasn't
actually checked it by trying it. Nevertheless thanks to Ariadne for
having had a look and proposing a patch!

Yes, this was my guess since HTParse() doesn't understand the authn part. 
But this seems like a rather unfortunate design: parse the URI wrong, and 
then "fix" it later?  Why not just parse the URI right, to begin with?

So strange...

Ariadne
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Re: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 06)

Re: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)

Re: bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)

Re: bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)

Re: Re: bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Stuart Henderson (Aug 07)

SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances)) Thorsten Glaser (Aug 07)

Re: SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances)) Jeffrey Walton (Aug 07)

Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)

Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)

Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)

Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -&gt; leaks password in clear text via SNI (under some circumstances) Salvatore Bonaccorso (Aug 07)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started