Apache HttpComponents Host Name authentication man-in-the-middle attack Vulnerability

Apache HttpComponents Host Name authentication man-in-the-middle attack Vulnerability

Release date:
Updated on:

Affected Systems:
Apache Group HttpComponents <4.3.5
Apache Group HttpComponents
Apache Group HttpAsyncClient <4.0.2
Description:
--------------------------------------------------------------------------------
CVE (CAN) ID: CVE-2014-3577

Apache HttpComponents is responsible for creating and maintaining a low-level Java Component tool set related to HTTP and related protocols.

After a specially crafted server certificate is used, the default host name verification vulnerability exists during SSL/TLS connection. Apache HttpComponents versions earlier than 4.0.2 are vulnerable to man-in-the-middle attacks, this results in loss of end-to-end confidentiality and connection integrity.

Details:
During the SSL connection (https) process, the client verifies the host name in the URL Based on the host name encoded in the server certificate. To ensure that the client is connected to the Real Server, rather than the intermediary.

The vulnerability is located in the default Apache HttpComponents

Org. apache. http. conn. ssl. AbstractVerifier

In client mode, it is used to verify the Host Name of the server certificate. You can check whether the <CN => substring exists in the topic DN.

Therefore, an o field is O = "foo, CN = www.apache.org", CN is "www.evil.org", and o is located in the DN before the CN field, <www.apache.org> in the o field is incorrectly matched, instead of the CN or theme alias.

The forged field can be any other field except the CN field, including <E> or email, as long as this field appears before CN.

If a third party with a forged certificate can intercept or re-route the traffic to the https server, it can launch a man-in-the-middle attack and undermine the end-to-end confidentiality and integrity.

<* Source: Subodh Iyengar
Will Shackleton
*>

Test method:
--------------------------------------------------------------------------------
Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Subodh Iyengar () provides the following test methods:
Will Shackleton () provides the following test methods:

The following statement detects the vulnerability on the server that constructs the certificate from the Apache HttpComponents client:

Openssl req-new-x509-keyout/dev/stdout \
-Subj "/O = foo, CN = www.apache.org/cn1_machine-domain-name /"\
-Set_serial 86653-nodes | \
Openssl s_server-cert/dev/stdin-accept 8443-www

Connect to the Apache HttpComponents client for "https://www.apache.org: 8443/", and the DNS entry for www.apache.org points to machine-domain-name.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

The http://search.maven.org/#artifactdetails | org. apache. httpcomponents |
Httpclient | 4.3.5 | jar
The http://search.maven.org/#artifactdetails | org. apache. httpcomponents |
Httpasyncclient | 4.0.2 | jar

How to Use HttpClient 4.0

How does Android use HttpClient to submit data in Post mode and add http header information?

How does Android use HttpClient to Get data and add http header information?

HttpComponents details: click here
HttpComponents: click here

This article permanently updates the link address: