Security vulnerability: missing SSL hostname validation

[ConradIrwin]

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-095

The GitHub Security Lab team has identified potential security vulnerabilities in em-imap.

We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.

If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include your GHSL-2020-095).

If you are NOT the correct point of contact for this report, please let us know!

Summary

Missing hostname validation allows an attacker to perform a man in the middle attack against users of the library.

Product

em-imap

Tested Version

v0.5

Missing SSL/TLS certificate hostname validation

em-imap uses the library eventmachine in an insecure way that allows an attacker to perform a man in the middle attack against users of the library.

Impact

An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.

Remediation

Implement hostname validation.

Resources

To trigger the vulnerability, a simple TLS enabled listening daemon is sufficient as described in the following snippets.

# Add a fake DNS entry to /etc/hosts.
$ echo "127.0.0.1 test.imap.gmail.com" | sudo tee -a /etc/hosts

# Create a certificate.
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

# Listen on port 993 with TLS enabled.
$ openssl s_server -key key.pem -cert cert.pem -accept 993
Using auto DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDB6rCbPKv6fm6PV8kaehPOpnJS6alzqvMImVDzjsSHm
ll1shwxJqlreT6XL5va01tahBgIEXsJTeqIEAgIcIKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

Create a sample client with the following contents:

require 'rubygems'
require 'em-imap'

EM::run do
  client = EM::IMAP.new('test.imap.gmail.com', 993, true)
  client.connect.errback do |error|
    puts "Connecting failed: #{error}"
  end.callback do |hello_response|
    puts "Connecting succeeded!"
    puts hello_response
  end.bothback do
    EM::stop
  end
end

Run the example client to see a connection being performed in the listening daemon initialized in the previous steps.

# Run the example client.
$ ruby em-imap-client.rb

References

CWE-297: Improper Validation of Certificate with Host Mismatch

GitHub Security Advisories

We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.

Credit

This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-095 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

[agustingianni]

CVE-2020-13163

[agustingianni]

Hello @ConradIrwin we have been working with the folks from em-http-request and I think we have reached a good patch for this issue that may be usable in your library. If you decide to implement it, I would love to help you with the testing.

You can find more information in the thread at igrigorik/em-http-request#339

Thanks.

[ConradIrwin]

Thanks! That's great news. I'm going to check back in ~2 weeks and see whether there's a solution that has been upstreamed to eventmachine itself (as I don't think em-imap has any users, I'd rather wait and fix this properly than go through a few rounds of patches) Sent via Superhuman ( https://sprh.mn/?vip=conrad.irwin@gmail.com )

…

On Wed, May 27, 2020 at 1:50 AM, Agustin Gianni < ***@***.*** > wrote: Hello @ ConradIrwin ( https://github.com/ConradIrwin ) we have been working with the folks from em-http-request and I think we have reached a good patch for this issue that may be usable in your library. If you decide to implement it, I would love to help you with the testing. You can find more information in the thread at igrigorik/ em-http-request#339 ( igrigorik/em-http-request#339 ) Thanks. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub ( #25 (comment) ) , or unsubscribe ( https://github.com/notifications/unsubscribe-auth/AAAXAQB3MLJFR4GRB33ZW7LRTTH47ANCNFSM4NEOHWZA ).

[alromh87]

@agustingianni Implemeted a fix based on the information you provided

Thank you

[huntr-helper]

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.