Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v5.4: Missing SSL hostname check #707

Closed
patrakov opened this issue Nov 20, 2021 · 4 comments
Closed

v5.4: Missing SSL hostname check #707

patrakov opened this issue Nov 20, 2021 · 4 comments
Assignees

Comments

@patrakov
Copy link

I tried e2guardian in a virtual machine today, running it as a standalone transparent proxy with SSL MITM, with the following iptables rules that redirect traffic to it (where 974 is the uid of the user that e2guardian runs as):

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 974 -m tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 974 -m tcp --dport 80 -j REDIRECT --to-ports 8080

I found that e2guardian enables browser connections to sites that it should not allow. One example is https://wrong.host.badssl.com/

This is very serious, because anyone on the path, who can intercept the connection or poison the DNS cache and thus redirect e2guardian's outgoing connection to a host under his control, now can perform a successful MITM attack. All he needs is any valid certificate - e2guardian will accept it for any host.

Screenshot

@patrakov
Copy link
Author

Forgot to say: I was testing git commit 209e001

@philipianpearce
Copy link
Contributor

@patrakov Hi Alex, thanks for reporting - bug appears to have crept in in openssl v1.1 e2g implementation.
Fixed in latest v5.4 branch.

@patrakov
Copy link
Author

Thanks for a quick fix!

Would you mind if I request a CVE ID for this?

@patrakov
Copy link
Author

This is now CVE-2021-44273.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants