Headline
CVE-2021-44273: v5.4: Missing SSL hostname check · Issue #707 · e2guardian/e2guardian
e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if built with OpenSSL v1.1.x, did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks.
I tried e2guardian in a virtual machine today, running it as a standalone transparent proxy with SSL MITM, with the following iptables rules that redirect traffic to it (where 974 is the uid of the user that e2guardian runs as):
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 974 -m tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 974 -m tcp --dport 80 -j REDIRECT --to-ports 8080
I found that e2guardian enables browser connections to sites that it should not allow. One example is https://wrong.host.badssl.com/
This is very serious, because anyone on the path, who can intercept the connection or poison the DNS cache and thus redirect e2guardian’s outgoing connection to a host under his control, now can perform a successful MITM attack. All he needs is any valid certificate - e2guardian will accept it for any host.