Vulnerability Note VU#744929

mod_ssl fails to properly enforce client certificates authentication

Overview

mod_ssl, the Apache web server module for Secure Socket Layer (SSL) communications, may not properly authenticate client certificates.

I. Description

mod_ssl provides Secure Socket Layer (SSL) communications for the Apache web server. SSL is designed to provide the ability to encrypt and authenticate TCP connections. Apache, using mod_ssl, can be configured to use SSL to authenticate web users using client certificates.

The requirement for client certificates is not enforced if a web server configuration specifies client authentication as optional ("SSLVerifyClient optional") in the global virtual host configuration, but specifies client certificates as required in some location's context ("SSLVerifyClient require").

II. Impact

An attacker may access web documents in a restricted section of a web site without providing a valid client certificate.

III. Solution

Upgrade to mod_ssl 2.8.24 or later, or apply a patch as specified by your vendor.

Systems Affected

Vendor	Status	Date Notified
Apache-SSL	Unknown	9-Sep-2005
Apache HTTP Server Project	Vulnerable	18-Oct-2005
Apple Computer, Inc.	Unknown	6-Dec-2005
Avaya, Inc.	Vulnerable	3-Oct-2005
Cray, Inc.	Unknown	7-Sep-2005
Debian Linux	Vulnerable	12-Sep-2005
EMC, Inc. (formerly Data General Corporation)	Unknown	7-Sep-2005
Engarde Secure Linux	Unknown	7-Sep-2005
F5 Networks, Inc.	Vulnerable	8-Sep-2005
Fedora Project	Vulnerable	9-Sep-2005
FreeBSD, Inc.	Unknown	7-Sep-2005
Fujitsu Limited	Unknown	7-Sep-2005
Gentoo Linux	Vulnerable	23-Sep-2005
Hewlett-Packard Company	Unknown	7-Oct-2005
Hitachi	Unknown	23-Sep-2005
IBM Corporation	Unknown	7-Sep-2005
Immunix Communications, Inc.	Unknown	7-Sep-2005
Ingrian Networks, Inc.	Unknown	7-Sep-2005
Juniper Networks, Inc.	Not Vulnerable	9-Sep-2005
Mandriva, Inc.	Vulnerable	3-Oct-2005
Mandriva, Inc.	Vulnerable	9-Sep-2005
Microsoft Corporation	Not Vulnerable	9-Sep-2005
mod_ssl	Vulnerable	9-Sep-2005
MontaVista Software, Inc.	Unknown	7-Sep-2005
NEC Corporation	Unknown	7-Sep-2005
NetBSD	Unknown	7-Sep-2005
Nokia	Unknown	12-Sep-2005
Novell, Inc.	Unknown	7-Sep-2005
OpenBSD	Unknown	7-Sep-2005
OpenPKG	Vulnerable	7-Sep-2005
Openwall GNU/*/Linux	Not Vulnerable	8-Sep-2005
Oracle Corporation	Vulnerable	18-Oct-2006
QNX, Software Systems, Inc.	Unknown	7-Sep-2005
Red Hat, Inc.	Vulnerable	28-Dec-2005
Silicon Graphics, Inc.	Unknown	7-Sep-2005
Slackware Linux Inc.	Vulnerable	9-Sep-2005
Sony Corporation	Unknown	7-Sep-2005
Sun Microsystems, Inc.	Unknown	7-Sep-2005
SUSE Linux	Vulnerable	16-Sep-2005
The SCO Group (SCO UnixWare)	Unknown	7-Sep-2005
Trustix Secure Linux	Vulnerable	9-Sep-2005
Turbolinux	Unknown	7-Sep-2005
Ubuntu	Vulnerable	8-Sep-2005
Unisys	Unknown	7-Sep-2005
Wind River Systems, Inc.	Unknown	7-Sep-2005

References

http://svn.apache.org/viewcvs?rev=264800&view=rev
http://www.mail-archive.com/modssl-users@modssl.org/msg17148.html
http://marc.theaimsgroup.com/?l=apache-modssl&m=112569517603897&w=2
http://secunia.com/advisories/16700/
http://www.osvdb.org/19188
http://www.openpkg.org/security/OpenPKG-SA-2005.017-modssl.html
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167195
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167194
http://rhn.redhat.com/errata/RHSA-2005-608.html
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.458879

Credit

Reported by Joe Orton of Red Hat.

This document was written by Hal Burch.

Other Information

Date Public:	2005-08-31
Date First Published:	2005-09-09
Date Last Updated:	2006-10-18
CERT Advisory:
CVE-ID(s):	CVE-2005-2700
NVD-ID(s):	CVE-2005-2700
US-CERT Technical Alerts:
Metric:	1.45
Document Revision:	69

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader