Bugzilla – Bug 848653
VUL-1: CVE-2013-4488: libgadu: missing ssl certificate validation
Last modified: 2020-06-29 06:23:16 UTC
CVE-2013-4488 Libgadu, an open library for communicating using the protocol e-mail, was found to have missing the ssl certificate validation. The issue is that libgadu uses openSSL library for creating secure connections. A program using openSSL can perform SSL handshake by invoking the SSL_connect function. Some certificate validation errors are signaled through, the return values of the SSL_connect, while for the others errors SSL_connect returns OK but sets internal "verify result" flags. Application must call ssl_get_verify_result function to check if any such errors occurred. This check seems to be missing in libgadu. And thus a man-in-the-middle attack is possible failing all the SSL protection. Note: Upstream suggested that it was a concious decision as libgadu is reverse-engineered implementation of a proprietary protocol, they had no control over the certificates used for SSL connections, so they would add a note to the documentation about this. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4488 https://bugzilla.redhat.com/show_bug.cgi?id=1025718 http://seclists.org/oss-sec/2013/q4/202
I am not sure what we can do for it. I can only imagine reverse engineering of SSL certificates provided by the server to guess, how we can verify them. But it would be a fragile solution, as it is a proprietary protocol. Instant messengers (with exception of SILC) do not explicitly say, that the communication is safe from spying. Documentation of libgadu3 and libgadu-devel is written in Polish language. If there is any note about security, it should be updated. Needinfo from Vojtech Dziewiecki, who can read Polish.
This bug is also reported as bug 848509.
bugbot adjusting priority
we can add a disclaimer in the documentation. something like: after SSL connection established, libgadu doesn't verify if the X509 certificate is valid. Upstream confirmed and suggested that it was a concious decision as libgadu is reverse-engineered implementation of a proprietary protocol.
Please specify what info do you want me to find, it is not clear from your comment.
excepting that the certificate is for *.gg.pl and not gadu-gadu.pl it has valid SSL certficates. The problem is that libgadu has various *.gadu-gadu.pl hostnames and not the *.gg.pl hostnames :/ $ gnutls-cli register.gadu-gadu.pl -p 443 Connecting to '91.214.238.90:443'... - Peer's certificate is trusted - The hostname in the certificate does NOT match 'register.gadu-gadu.pl' *** Verifying server certificate failed... *** Fatal error: Error in the certificate. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `serialNumber=Gpoo5dxP52Z92xR93sWEwNGonvByY7s1,C=PL,O=*.gg.pl,OU=GT98180934,OU=See www.rapidssl.com/resources/cps (c)10,OU=Domain Control Validated - RapidSSL(R),CN=*.gg.pl', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-12-06 00:06:46 UTC', expires `2016-03-07 13:07:16 UTC', SHA-1 fingerprint `1d7eec0dbe07c4b0c1f6c7241788554c5252ee90' Public Key Id: e1460de36c72b949c397e42aa7fb3053754eeeaf Public key's random art: +--[ RSA 2048]----+ | o . | | + B . | | . % * o | | B O = | | . S o | | * . | | = . | | = . | | ... E.. | +-----------------+ *** Handshake has failed GnuTLS error: Error in the certificate.
One question is if there are *.gg.pl hosts that we can refer to in libgadu sources as the SSL certificates seems to be for those and not for gadu-gadu.pl
*** Bug 848509 has been marked as a duplicate of this bug. ***
It looks like this issue can not be completely fixed. Closing as WONTFIX.