The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
Weakness
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Subversion | Apache | 1.4.0 (including) | 1.4.0 (including) |
| Subversion | Apache | 1.4.1 (including) | 1.4.1 (including) |
| Subversion | Apache | 1.4.2 (including) | 1.4.2 (including) |
| Subversion | Apache | 1.4.3 (including) | 1.4.3 (including) |
| Subversion | Apache | 1.4.4 (including) | 1.4.4 (including) |
| Subversion | Apache | 1.4.5 (including) | 1.4.5 (including) |
| Subversion | Apache | 1.4.6 (including) | 1.4.6 (including) |
| Subversion | Apache | 1.5.0 (including) | 1.5.0 (including) |
| Subversion | Apache | 1.5.1 (including) | 1.5.1 (including) |
| Subversion | Apache | 1.5.2 (including) | 1.5.2 (including) |
| Subversion | Apache | 1.5.3 (including) | 1.5.3 (including) |
| Subversion | Apache | 1.5.4 (including) | 1.5.4 (including) |
| Subversion | Apache | 1.5.5 (including) | 1.5.5 (including) |
| Subversion | Apache | 1.5.6 (including) | 1.5.6 (including) |
| Subversion | Apache | 1.5.7 (including) | 1.5.7 (including) |
| Subversion | Apache | 1.5.8 (including) | 1.5.8 (including) |
| Subversion | Apache | 1.6.0 (including) | 1.6.0 (including) |
| Subversion | Apache | 1.6.1 (including) | 1.6.1 (including) |
| Subversion | Apache | 1.6.2 (including) | 1.6.2 (including) |
| Subversion | Apache | 1.6.3 (including) | 1.6.3 (including) |
| Subversion | Apache | 1.6.4 (including) | 1.6.4 (including) |
| Subversion | Apache | 1.6.5 (including) | 1.6.5 (including) |
| Subversion | Apache | 1.6.6 (including) | 1.6.6 (including) |
| Subversion | Apache | 1.6.7 (including) | 1.6.7 (including) |
| Subversion | Apache | 1.6.8 (including) | 1.6.8 (including) |
| Subversion | Apache | 1.6.9 (including) | 1.6.9 (including) |
| Subversion | Apache | 1.6.10 (including) | 1.6.10 (including) |
| Subversion | Apache | 1.6.11 (including) | 1.6.11 (including) |
| Subversion | Apache | 1.6.12 (including) | 1.6.12 (including) |
| Subversion | Apache | 1.6.13 (including) | 1.6.13 (including) |
| Subversion | Apache | 1.6.14 (including) | 1.6.14 (including) |
| Subversion | Apache | 1.6.15 (including) | 1.6.15 (including) |
| Subversion | Apache | 1.6.16 (including) | 1.6.16 (including) |
| Subversion | Apache | 1.6.17 (including) | 1.6.17 (including) |
| Subversion | Apache | 1.6.18 (including) | 1.6.18 (including) |
| Subversion | Apache | 1.6.19 (including) | 1.6.19 (including) |
| Subversion | Apache | 1.6.20 (including) | 1.6.20 (including) |
| Subversion | Apache | 1.6.21 (including) | 1.6.21 (including) |
| Subversion | Apache | 1.6.23 (including) | 1.6.23 (including) |
| Subversion | Apache | 1.7.0 (including) | 1.7.0 (including) |
| Subversion | Apache | 1.7.1 (including) | 1.7.1 (including) |
| Subversion | Apache | 1.7.2 (including) | 1.7.2 (including) |
| Subversion | Apache | 1.7.3 (including) | 1.7.3 (including) |
| Subversion | Apache | 1.7.4 (including) | 1.7.4 (including) |
| Subversion | Apache | 1.7.5 (including) | 1.7.5 (including) |
| Subversion | Apache | 1.7.6 (including) | 1.7.6 (including) |
| Subversion | Apache | 1.7.7 (including) | 1.7.7 (including) |
| Subversion | Apache | 1.7.8 (including) | 1.7.8 (including) |
| Subversion | Apache | 1.7.9 (including) | 1.7.9 (including) |
| Subversion | Apache | 1.7.10 (including) | 1.7.10 (including) |
| Subversion | Apache | 1.7.11 (including) | 1.7.11 (including) |
| Subversion | Apache | 1.7.12 (including) | 1.7.12 (including) |
| Subversion | Apache | 1.7.13 (including) | 1.7.13 (including) |
| Subversion | Apache | 1.7.14 (including) | 1.7.14 (including) |
| Subversion | Apache | 1.7.15 (including) | 1.7.15 (including) |
| Subversion | Apache | 1.7.16 (including) | 1.7.16 (including) |
| Subversion | Apache | 1.7.17 (including) | 1.7.17 (including) |
| Subversion | Apache | 1.8.0 (including) | 1.8.0 (including) |
| Subversion | Apache | 1.8.1 (including) | 1.8.1 (including) |
| Subversion | Apache | 1.8.2 (including) | 1.8.2 (including) |
| Subversion | Apache | 1.8.3 (including) | 1.8.3 (including) |
| Subversion | Apache | 1.8.4 (including) | 1.8.4 (including) |
| Subversion | Apache | 1.8.5 (including) | 1.8.5 (including) |
| Subversion | Apache | 1.8.6 (including) | 1.8.6 (including) |
| Subversion | Apache | 1.8.7 (including) | 1.8.7 (including) |
| Subversion | Apache | 1.8.8 (including) | 1.8.8 (including) |
| Subversion | Apache | 1.8.9 (including) | 1.8.9 (including) |
| Subversion | Ubuntu | devel | * |
| Subversion | Ubuntu | lucid | * |
| Subversion | Ubuntu | precise | * |
| Subversion | Ubuntu | trusty | * |
| Subversion | Ubuntu | upstream | * |
Extended Description
Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. In order to ensure data integrity, the certificate must be valid, and it must pertain to the site that is being accessed. Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name.
Potential Mitigations
References
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996
- http://www.securityfocus.com/bid/69237
- http://www.ubuntu.com/usn/USN-2316-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
- https://security.gentoo.org/glsa/201610-05
- https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
- https://support.apple.com/HT204427
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996
- http://www.securityfocus.com/bid/69237
- http://www.ubuntu.com/usn/USN-2316-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
- https://security.gentoo.org/glsa/201610-05
- https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
- https://support.apple.com/HT204427