Vulnerabilities > CVE-2014-3522 - Improper Validation of Certificate With Host Mismatch vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. <a href="http://cwe.mitre.org/data/definitions/297.html" target="_blank">CWE-297: Improper Validation of Certificate with Host Mismatch</a>
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-413.NASL description The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. last seen 2020-06-01 modified 2020-06-02 plugin id 78356 published 2014-10-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78356 title Amazon Linux AMI : subversion (ALAS-2014-413) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9636.NASL description This update includes the latest stable release of **Apache Subversion**, version **1.8.10**. **Client-side bugfixes:** - guard against md5 hash collisions when finding cached credentials - ra_serf: properly match wildcards in SSL certs. - ra_serf: ignore the CommonName in SSL certs where there are Subject Alt Names - ra_serf: fix a URI escaping bug that prevented deleting locked paths - rm: Display the proper URL when deleting a URL in the commit log editor - log: Fix another instance of broken pipe error - copy: Properly handle props not present or excluded on cross wc copy - copy: Fix copying parents of locally deleted nodes between wcs - externals: Properly delete ancestor directories of externals when removing the external by changing svn:externals. - ra_serf: fix memory lifetime of some hash values **Server-side bugfixes:** - fsfs: omit config file when creating pre-1.5 format repos **Bindings:** - ruby: removing warning about Ruby 1.9 support being new. - python: fix notify_func callbacks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-29 plugin id 77428 published 2014-08-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77428 title Fedora 20 : subversion-1.8.10-1.fc20 (2014-9636) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201610-05.NASL description The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 93992 published 2016-10-12 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93992 title GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-511.NASL description This subversion and libserf update fixes several security and non security issues : - subversion: guard against md5 hash collisions when finding cached credentials [bnc#889849] [CVE-2014-3528] - subversion: ra_serf: properly match wildcards in SSL certs. [bnc#890511] [CVE-2014-3522] - libserf: Handle NUL bytes in fields of an X.509 certificate. [bnc#890510] [CVE-2014-3504] last seen 2020-06-05 modified 2014-08-25 plugin id 77364 published 2014-08-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77364 title openSUSE Security Update : libserf / subversion (openSUSE-SU-2014:1059-1) NASL family MacOS X Local Security Checks NASL id MACOSX_XCODE_6_2.NASL description The Apple Xcode installed on the remote Mac OS X host is prior to version 6.2. It is, therefore, affected by the following vulnerabilities : - Numerous errors exist related to the bundled version of Apache Subversion. (CVE-2014-3522, CVE-2014-3528, CVE-2014-3580, CVE-2014-8108) - An error exists related to the bundled version of Git that allows arbitrary files to be added to the .git folder. (CVE-2014-9390) last seen 2020-05-06 modified 2015-03-11 plugin id 81758 published 2015-03-11 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81758 title Apple Xcode < 6.2 (Mac OS X) NASL family Windows NASL id SUBVERSION_1_8_10.NASL description The version of Subversion Server installed on the remote host is version 1.x.x prior to 1.7.18 or 1.8.x prior to 1.8.10. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Serf RA layer. This flaw causes wildcards for HTTPS connections to be improperly evaluated, which may result in the application accepting certificates that are not matched against the proper hostname. This may allow a remote man-in-the-middle attacker to intercept traffic and spoof valid sessions. (CVE-2014-3522) - An MD5 hash of the URL and authentication realm are used to store cached credentials, which may allow remote attackers to obtain these credentials via a specially crafted authentication realm. (CVE-2014-3528) last seen 2020-06-01 modified 2020-06-02 plugin id 78068 published 2014-10-06 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78068 title Apache Subversion 1.0.x - 1.7.17 / 1.8.x < 1.8.10 Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2316-1.NASL description Lieven Govaerts discovered that the Subversion mod_dav_svn module incorrectly handled certain request methods when SVNListParentPath was enabled. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2014-0032) Ben Reser discovered that Subversion did not correctly validate SSL certificates containing wildcards. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2014-3522) Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server. (CVE-2014-3528). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 77219 published 2014-08-15 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77219 title Ubuntu 12.04 LTS / 14.04 LTS : subversion vulnerabilities (USN-2316-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_83A418CC218211E4802C20CF30E32F6D.NASL description Subversion Project reports : Using the Serf RA layer of Subversion for HTTPS uses the apr_fnmatch API to handle matching wildcards in certificate Common Names and Subject Alternate Names. However, apr_fnmatch is not designed for this purpose. Instead it is designed to behave like common shell globbing. In particular this means that last seen 2020-06-01 modified 2020-06-02 plugin id 77125 published 2014-08-12 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77125 title FreeBSD : subversion -- several vulnerabilities (83a418cc-2182-11e4-802c-20cf30e32f6d) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-085.NASL description Updated subversion packages fix security vulnerabilities : The mod_dav_svn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via an OPTIONS request (CVE-2014-0032). Ben Reser discovered that Subversion did not correctly validate SSL certificates containing wildcards. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications (CVE-2014-3522). Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server (CVE-2014-3528). A NULL pointer dereference flaw was found in the way mod_dav_svn handled REPORT requests. A remote, unauthenticated attacker could use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580). A NULL pointer dereference flaw was found in the way mod_dav_svn handled URIs for virtual transaction names. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash (CVE-2014-8108). last seen 2020-06-01 modified 2020-06-02 plugin id 82338 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82338 title Mandriva Linux Security Advisory : subversion (MDVSA-2015:085)
References
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60100
- http://secunia.com/advisories/60722
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109996
- http://www.securityfocus.com/bid/69237
- http://www.ubuntu.com/usn/USN-2316-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95311
- https://security.gentoo.org/glsa/201610-05
- https://subversion.apache.org/security/CVE-2014-3522-advisory.txt
- https://support.apple.com/HT204427