search menu icon-carat-right cmu-wordmark

CERT Coordination Center


mod_ssl fails to properly enforce client certificates authentication

Vulnerability Note VU#744929

Original Release Date: 2005-09-09 | Last Revised: 2006-10-18

Overview

mod_ssl, the Apache web server module for Secure Socket Layer (SSL) communications, may not properly authenticate client certificates.

Description

mod_ssl provides Secure Socket Layer (SSL) communications for the Apache web server. SSL is designed to provide the ability to encrypt and authenticate TCP connections. Apache, using mod_ssl, can be configured to use SSL to authenticate web users using client certificates.

The requirement for client certificates is not enforced if a web server configuration specifies client authentication as optional ("SSLVerifyClient optional") in the global virtual host configuration, but specifies client certificates as required in some location's context ("SSLVerifyClient require").

Impact

An attacker may access web documents in a restricted section of a web site without providing a valid client certificate.

Solution

Upgrade to mod_ssl 2.8.24 or later, or apply a patch as specified by your vendor.

Vendor Information

744929
Expand all

Apache HTTP Server Project

Updated:  October 18, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Apache HTTP Server Project distributes a version of mod_ssl with Apache 2.0. According to Apache's changelog, this issue has been resolved in Apache 2.0.55.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya, Inc.

Updated:  October 03, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Accourding to Avaya Security Advisory ASA-2005-004, the following Avaya products may be affected:

    • Avaya S8710/S8700/S8500/S8300
    • Avaya Converged Communications Server (CCS) / SIP Enablement Services (SES)
    • Avaya Message Networking
    • Avaya Intuity LX
    • Avaya Modular Messaging Message Storage Server (MSS)
    • Avaya CVLAN
    • Avaya Intergrated Management
More specific vulnerability information is contained within the advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Linux

Notified:  September 07, 2005 Updated:  September 12, 2005

Status

  Vulnerable

Vendor Statement

For Apache 2.0:

The old stable distribution (woody) does not contain Apache2 packages.

For the stable distribution (sarge) these problems have been fixed in version 2.0.54-5.

For the unstable distribution (sid) these problems have been fixed in version 2.0.54-5.

For Apache 1.3:

For the old stable distribution (woody) this problem has been fixed in version 2.8.9-2.5.

For the stable distribution (sarge) this problem has been fixed in version 2.8.22-1sarge1.

For the unstable distribution (sid) this problem has been fixed in version 2.8.24-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian Security Advisory DBA-805-1 contains additional details for the apache2 package.

Debian Security Advisory DBA-807-1 contains vulnerability and remediation details for mod_ssl (package name libapache-mod-ssl).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  September 07, 2005 Updated:  September 08, 2005

Status

  Vulnerable

Vendor Statement

BigIP v4 and v9 do not support client-side authentication to the Management user interface, so the vulnerability does not apply.

FirePass is not vulnerable.

TrafficShield uses Apache 2.0.53 and therefore is vulnerable. A hotfix will be forthcoming and included in the next security hotfix to be issued on TrafficShield 3.2.1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Updated:  September 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Vulnerability and remediation information can be found in:

Gentoo Linux

Updated:  September 23, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Gentoo Linux Security Advisory GLSA 200509-12 includes vulnerability and remediation information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  September 07, 2005 Updated:  September 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandriva Security Advisory MDSKA-2005:161 contains remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  September 07, 2005 Updated:  October 03, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva Linux Advisory CLA-2005:1013 contains vulnerability and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

OpenPKG has posted a security advisory with remediation instructions:

http://www.openpkg.org/security/OpenPKG-SA-2005.017-modssl.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  September 07, 2005 Updated:  October 18, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  September 07, 2005 Updated:  December 28, 2005

Status

  Vulnerable

Vendor Statement

Updated Apache httpd packages (for Red Hat Enterprise Linux 3 and 4) and an updated mod_ssl package (for Red Hat Enterprise Linux 2.1) to correct this issue are available at the URL below and by using the Red Hat Network 'up2date' tool.

http://rhn.redhat.com/errata/CAN-2005-2700.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat Security Advisory RHSA-2005:608 contains vulnerability and remediation information for Apache 2.

Red Hat Security Advisory RHSA-2005:773 contains vulnerability and remediation information for the mod_ssl package itself.

For Stronghold, consult RHSA-2005:882.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  September 07, 2005 Updated:  September 16, 2005

Status

  Vulnerable

Vendor Statement

Our customers can update their systems by using the YaST Online Update (YOU) tool or by installing the RPM file (apache2) directly after downloading it from

http://www.novell.com/de-de/linux/download/updates/index.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SUSE has released SUSE Security Advisory SUSE-SA:2005:052 with vulnerability and remediation instructions for this and some other recent Apache vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc.

Updated:  September 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware Security Advisory SSA:2005-251-02 contains vulnerability and remediation information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  September 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix Secure Linux Security Advisory #2005-0047 gives vulnerability and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Updated:  September 08, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Ubuntu provides remediation instructions in Ubuntu Security Notice USN-177-1.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

mod_ssl

Notified:  September 07, 2005 Updated:  September 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Release 2.8.24-1.3.33 address this issue. It is available at:

http://www.modssl.org/source/mod_ssl-2.8.24-1.3.33.tar.gz

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Notified:  September 07, 2005 Updated:  September 09, 2005

Status

  Not Vulnerable

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  September 07, 2005 Updated:  September 09, 2005

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  September 07, 2005 Updated:  September 08, 2005

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We currently do not provide mod_ssl.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache-SSL

Notified:  September 07, 2005 Updated:  September 09, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Notified:  September 07, 2005 Updated:  December 06, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Consult APPLE-SA-2005-11-29 Security Update 2005-009 for vulnerability details and remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC, Inc. (formerly Data General Corporation)

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Secure Linux

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Limited

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  September 07, 2005 Updated:  October 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Security Bulletin HPSBUX01232 (SSRT051043) lists affected software and with remediation instructions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  September 07, 2005 Updated:  September 23, 2005

Status

  Unknown

Vendor Statement

Hitachi Web Server is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix Communications, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  September 12, 2005 Updated:  September 12, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QNX, Software Systems, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Silicon Graphics, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Turbolinux

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  September 07, 2005 Updated:  September 07, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Reported by Joe Orton of Red Hat.

This document was written by Hal Burch.

Other Information

CVE IDs: CVE-2005-2700
Severity Metric: 1.45
Date Public: 2005-08-31
Date First Published: 2005-09-09
Date Last Updated: 2006-10-18 11:30 UTC
Document Revision: 69

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.