897029 – (CVE-2014-3616) VUL-0: nginx,nginx-1.0: CVE-2014-3616 nginx: virtual host confusion

Bug 897029 (CVE-2014-3616) - VUL-0: nginx,nginx-1.0: CVE-2014-3616 nginx: virtual host confusion

Summary: VUL-0: nginx,nginx-1.0: CVE-2014-3616 nginx: virtual host confusion

Status:	RESOLVED FIXED

Alias:	CVE-2014-3616

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-10-06
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/106234/
Whiteboard:	maint:released:sle11-sp2:59265
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-09-17 06:41 UTC by Marcus Meissner
Modified:	2014-12-15 10:29 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-17 06:41:15 UTC

rh#1142573

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on.

The upstream changelog describes the issue as:

""
it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks
""

Full details and some mitigation strategies are available in their paper:

http://bh.ht.vc/vhost_confusion.pdf

It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases:

http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html

Upstream patch:

http://trac.nginx.org/nginx/changeset/5841/nginx

External References:

http://bh.ht.vc/vhost_confusion.pdf

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1142573
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3616
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616

Comment 1 Swamp Workflow Management 2014-09-17 22:00:13 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2014-09-22 09:54:53 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-10-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59015

Comment 3 SMASH SMASH 2014-09-22 09:55:07 UTC

Affected packages:

SLE-11-SP3: nginx-1.0
SLE-11-SP3-PRODUCTS: nginx-1.0
SLE-11-SP3-UPTU: nginx-1.0

Comment 4 Stefan Schubert 2014-10-02 14:27:35 UTC

I have added the patch and has made a SR:
Submitting package  nginx-1.0
created request id 45013

Comment 5 Stefan Schubert 2014-10-02 14:28:20 UTC

Assigned to security-team@suse.de

Comment 8 Swamp Workflow Management 2014-10-13 21:04:51 UTC

SUSE-SU-2014:1286-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 897029
CVE References: CVE-2014-3616
Sources used:
WebYaST 1.3 (src):    nginx-1.0-1.0.15-0.10.1
SUSE Studio Onsite 1.3 (src):    nginx-1.0-1.0.15-0.10.1
SUSE Lifecycle Management Server 1.3 (src):    nginx-1.0-1.0.15-0.10.1

Comment 9 Martin Vidner 2014-10-16 12:51:48 UTC

Warning, the patch has a bug that makes webyast crash, see bug 901519.

Interestingly, in a testing VM, `rcwebyast start` crashes but plain `rcnginx start` does not crash.

Comment 10 Victor Pereira 2014-12-15 10:29:05 UTC

fix released.