Headline
CVE-2020-13614: Axel may not verify server certificate CN/SAN/hostname (allowing SSL interception) · Issue #262 · axel-download-accelerator/axel
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
It looks like Axel’s SSL’s connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.
This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.
Here is potentially insecure code
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83
[…] ssl_ctx = SSL_CTX_new(SSLv23_client_method()); if (!conf->insecure) { SSL_CTX_set_default_verify_paths(ssl_ctx); SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); } SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
ssl = SSL_new(ssl_ctx); SSL_set_fd(ssl, fd); SSL_set_tlsext_host_name(ssl, hostname);
int err = SSL_connect(ssl); if (err <= 0) { […]
davidpolverari pushed a commit to davidpolverari/axel that referenced this issue
Aug 26, 2021
2 participants
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.