Title: [Java] CWE-295 - Incorrect Hostname Verification - MitM · Issue #108 · github/securitylab · GitHub
Open Graph Title: [Java] CWE-295 - Incorrect Hostname Verification - MitM · Issue #108 · github/securitylab
X Title: [Java] CWE-295 - Incorrect Hostname Verification - MitM · Issue #108 · github/securitylab
Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. CVEs pending No CVE for this one: https://github.com/laurent-clouet/sheepit-client/pull/240/files Th...
Open Graph Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. CVEs pending No CVE for this one: https://github.com/laurent...
X Description: CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. CVEs pending No CVE for this one: https://github.com/laurent...
Opengraph URL: https://github.com/github/securitylab/issues/108
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Java] CWE-295 - Incorrect Hostname Verification - MitM","articleBody":"## CVE ID(s)\r\n\r\n*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).*\r\n\r\n- CVEs pending\r\n- No CVE for this one:\r\nhttps://github.com/laurent-clouet/sheepit-client/pull/240/files\r\nThis instance would not have been found by this query.\r\nThat is not a fault of the query, but `sheepit-client` uses [Lombok](https://projectlombok.org/) which seems to not work well with LGTM.\r\n[This \"hack\"](http://anthonywhitford.com/lombok.maven/lombok-maven-plugin/faq.html#alt-src-setup) should fix it.\r\n`sheepit-client` is the client for a distributed Blender render farm, based on people giving their computer power for free.\r\nThe MitM vulnerability would have allowed an attacker to **execute code** by changing the Blender file to contain dangerous python code.\r\nNormally python code is disabled from running, but this value is sent by the server and so the attacker could override this as well.\r\nThis means that **an attacker could execute arbitrary code**.\r\n- [CVE-2020-13955](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13955)\r\n \u003e HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. \r\n- CVE-2020-26234\r\n \u003e Opencast before version 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests.\r\n- CVE-2020-17514\r\n \u003e Fineract provides a reliable, robust, and affordable solution for entrepreneurs, financial institutions, and service providers to offer financial services to the world’s 2 billion underbanked and unbanked. Fineract is aimed at innovative mobile and cloud-based solutions, and enables digital transaction accounts for all. \r\n\r\n The vulnerable class is used for example [here](https://lgtm.com/projects/g/apache/fineract/snapshot/a28948c8c98837a5fc580fbbc489322aafdc3d2b/files/fineract-provider/src/main/java/org/apache/fineract/infrastructure/hooks/processor/TwilioHookProcessor.java?sort=name\u0026dir=ASC\u0026mode=heatmap#L79) which seems to be used for sending SMS.\r\nI'm not 100 % sure (found this issue more than half a year ago...), but I think the SMS was used to send [OTP tokens](https://github.com/apache/fineract/blob/cf7d38adbcf0bc197fec2a43cd32a69ade81e44f/fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/service/TwoFactorServiceImpl.java#L104), although I did not really verify the OTP token part.\r\n- CVE-2021-21385 (https://github.com/openMF/mifos-mobile/security/advisories/GHSA-9657-33wf-rmvx)\r\n \u003e [mifos-mobile is an] (...) Android Application built on top of the MifosX Self-Service platform for end-user customers to **view/transact** on the accounts and **loans** they hold.\r\n\r\n Note that the fixed code is written in *Kotlin*; the app has recently been converted to a Kotlin app and the issue has been found in the semantically equivalent Java version.\r\n\r\n\r\n## Report\r\n\r\nHostname verification is an essential part of Transport Layer Security (TLS) and HTTPS.\r\n\r\nWhen a TLS connection is established there are two important steps:\r\nFirst, the chain of trust is verified that means it is checked whether the certificate has been issued by a trusted certificate authority.\r\nSecond, the hostname (that is being connected to) needs to be verified against the certificate.\r\nThat means it is checked whether the certificate is actually for the hostname.\r\n\r\nIf the hostname is not verified an attacker could present any certificate with a valid chain of trust, but that is not issued for the hostname at all.\r\n**This allows a man-in-the-middle attack!**\r\n\r\nMany posts tell developers that have problems with hostname verification to accept any certificate as valid in the case of a mismatch.\r\nThese problems usually are configuration problems that should be fixed instead.\r\n\r\nJava verifies HTTPS hostnames by default.\r\nBut when a protocol uses TLS (SSLEngine) the hostname is not verified by default.\r\nThat's where the second part of my query (IncorrectHostnameVerifier.ql) comes into play.\r\n\r\n[This PR and PR description is WIP]\r\n\r\n87 of 642 projects tested have *overridden* the `Hostname.verify` method. \r\nQuery: https://github.com/github/codeql/pull/3581\r\n27 of 642 projects are detected by my currently running query.\r\n\r\n- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*\r\n","author":{"url":"https://github.com/intrigus-lgtm","@type":"Person","name":"intrigus-lgtm"},"datePublished":"2020-05-27T21:15:51.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":23},"url":"https://github.com/108/securitylab/issues/108"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:20ba92f0-3572-17b0-232e-7886a1b1d67f |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | A566:1DAD98:104853A:170FB6F:6A4D2EC6 |
| html-safe-nonce | 8233ba8ee211abf29d7f0c7ff96841327e4340014fd8be214d2906cd8a200d89 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBNTY2OjFEQUQ5ODoxMDQ4NTNBOjE3MEZCNkY6NkE0RDJFQzYiLCJ2aXNpdG9yX2lkIjoiNjU1MTYxNzc1MzA0MzUxMzAzMCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 2e806c8e376d7cfd43534c15f62c01a50ecd787c272c68602ae78cf11fd6138e |
| hovercard-subject-tag | issue:626036592 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/108/issue_layout |
| twitter:image | https://opengraph.githubassets.com/234ef830b06ee43532c1289d257eb0870b568af07f1d4faab148909acb91c383/github/securitylab/issues/108 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/234ef830b06ee43532c1289d257eb0870b568af07f1d4faab148909acb91c383/github/securitylab/issues/108 |
| og:image:alt | CVE ID(s) List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database. CVEs pending No CVE for this one: https://github.com/laurent... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | intrigus-lgtm |
| hostname | github.com |
| expected-hostname | github.com |
| None | 92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6 |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 93f17a978ee60bc4668e1d7b90e6bd2d622261fd |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width