Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CWE-295 in go SDK,client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. #41175

Closed
wangting1995 opened this issue Sep 2, 2020 · 3 comments

Comments

@wangting1995
Copy link

@wangting1995 wangting1995 commented Sep 2, 2020

What version of Go are you using (go version)?

$ go version 1.14.6
$ grpc version  1.26.0

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

What did you do?

A certification validation error occurred when using Defensics Fuzz that is a tool for checking security vulnerabilities to test the gRPC service port with SSL authentation.
We have used the Defensics Fuzz Testing Tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authentication.
We highly suspected it that a flaw in Go language tls authentication
Please confirm whether the go language has this error?

What did you expect to see?

authentication failed

What did you see instead?

authentication passed

@wangting1995 wangting1995 changed the title We have used the Synopsys Defensics tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. Please confirm whether the go language has this error? CWE-295 in go SDK,client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. Sep 2, 2020
@davecheney
Copy link
Contributor

@davecheney davecheney commented Sep 2, 2020

@wangting1995 without a way to reproduce your issue we cannot investigate. Please update the issue to include a self contained program that demonstrates the issue. Thank you.

@networkimprov
Copy link

@networkimprov networkimprov commented Sep 3, 2020

@wangting1995 please email more info to security@golang.org. Please do not post it here.
More: https://golang.org/security

cc @FiloSottile

@gopherbot remove WaitingForInfo

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Sep 3, 2020

Closing this as there is not enough information for an investigation. Please follow golang.org/security if you have a report.

@FiloSottile FiloSottile closed this Sep 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.