Bug 28195 - stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)
Summary: stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)
Status: REOPENED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-22 18:59 CET by David Walser
Modified: 2021-03-15 12:30 CET (History)
2 users (show)

See Also:
Source RPM: stunnel-5.56-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-01-22 18:59:16 CET
SUSE has issued an advisory today (January 22):
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008236.html

The issue is fixed upstream in 5.57.

Mageia 7 is likely also affected.
Comment 1 Lewis Smith 2021-01-22 20:55:04 CET
This SRPM has had various committers, so having to assign this bug to everybody & anybody.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2021-01-22 23:04:05 CET
fixed in cauldron

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => mageia

David Walser 2021-01-22 23:04:50 CET

Version: Cauldron => 7
Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 3 David Walser 2021-01-26 05:48:52 CET
openSUSE has issued an advisory for this today (January 25):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q7XK4JAT2VTRMB2I2BVA3DY34276OGEH/
David Walser 2021-02-23 19:40:39 CET

Summary: stunnel new security issue fixed upstream in 5.57 => stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230

Comment 4 David Walser 2021-02-23 19:41:05 CET
RedHat has issued an advisory on February 22:
https://access.redhat.com/errata/RHSA-2021:0618

Summary: stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230 => stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)
Severity: normal => critical

Comment 5 Nicolas Lécureuil 2021-03-11 22:02:21 CET
already in testing:

src:
    - stunnel-5.57-1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 6 David Walser 2021-03-14 15:51:54 CET
Advisory:
========================

Updated stunnel package fixes security vulnerability:

Client certificate not correctly verified when redirect and verifyChain options
are used (CVE-2021-20230).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20230
https://access.redhat.com/errata/RHSA-2021:0618
Comment 7 PC LX 2021-03-15 12:30:41 CET
Installed without issues but could not get it to work due to "unknown CA" verification issues.


Tested with a tunnel to example.com:443. Also tested with other common domains and always results in the same issue.


[example.com-https]
client = yes
accept = 127.0.0.1:8080
connect = example.com:443
verifyChain = yes
CApath = /etc/pki/tls/
# Also tested with: CApath = /etc/ssl/certs/
checkHost = example.com
OCSPaia = yes


Log relevant excerpt:
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: s_connect: connected 2606:2800:220:1:248:1893:25c8:1946:443
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Service [example.com-https] connected remote server from 2001:818:e808:8300:2c66:2dff:fec3:b143:43356
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Setting remote socket options (FD=10)
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Option TCP_NODELAY set on remote socket
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Remote descriptor (FD=10) initialized
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: SNI: sending servername: example.com
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: Peer certificate required
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): before SSL initialization
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Initializing application specific data for session authenticated
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: CERT: Pre-verification error: self signed certificate in certificate chain
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: Rejected by CERT at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS alert (write): fatal: unknown CA
mar 15 11:20:37 marte stunnel[30158]: LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1245: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket



System: Mageia 7, x86_64, Intel CPU.



$ uname -a
Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q stunnel
stunnel-5.57-1.mga7
$ journalctl -b0 -u stunnel
<SNIP>
mar 15 11:20:23 marte systemd[1]: Started SSL tunnel for network daemons.
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: "/etc/stunnel/conf.d/." is not a file
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: "/etc/stunnel/conf.d/.." is not a file
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: Reading configuration from file /etc/stunnel/conf.d/tunnel.conf
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: UTF-8 byte order mark not detected
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: FIPS mode disabled
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Compression disabled
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: No PRNG seeding was required
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: Initializing service [example.com-https]
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: OpenSSL security level is used: 2
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: TLS options: 0x02000004 (+0x00000000, -0x00000000)
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: No certificate or private key specified
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: DH initialization skipped: client section
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: ECDH initialization
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: ECDH initialized with curves prime256v1
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: Configuration successful
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Deallocating deployed section defaults
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Binding service [example.com-https]
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Listening file descriptor created (FD=9)
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Setting accept socket options (FD=9)
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Option SO_REUSEADDR set on accept socket
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: Service [example.com-https] (FD=9) bound to 127.0.0.1:8080
mar 15 11:20:23 marte stunnel[30158]: LOG7[main]: Created pid file /run/stunnel/stunnel.pid
mar 15 11:20:23 marte stunnel[30158]: LOG7[cron]: Cron thread initialized
mar 15 11:20:23 marte stunnel[30158]: LOG6[cron]: Executing cron jobs
mar 15 11:20:23 marte stunnel[30158]: LOG6[cron]: Cron jobs completed in 0 seconds
mar 15 11:20:23 marte stunnel[30158]: LOG7[cron]: Waiting 86400 seconds
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: Found 1 ready file descriptor(s)
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: FD=4 events=0x2001 revents=0x0
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: FD=9 events=0x2001 revents=0x1
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: Service [example.com-https] accepted (FD=3) from 127.0.0.1:36070
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Service [example.com-https] started
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Setting local socket options (FD=3)
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Option TCP_NODELAY set on local socket
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Service [example.com-https] accepted connection from 127.0.0.1:36070
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: failover: priority, starting at entry #0
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: s_connect: connecting 2606:2800:220:1:248:1893:25c8:1946:443
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: s_connect: s_poll_wait 2606:2800:220:1:248:1893:25c8:1946:443: waiting 10 seconds
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: FD=6 events=0x2001 revents=0x0
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: FD=10 events=0x2005 revents=0x0
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: s_connect: connected 2606:2800:220:1:248:1893:25c8:1946:443
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Service [example.com-https] connected remote server from 2001:818:e808:8300:2c66:2dff:fec3:b143:43356
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Setting remote socket options (FD=10)
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Option TCP_NODELAY set on remote socket
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Remote descriptor (FD=10) initialized
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: SNI: sending servername: example.com
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: Peer certificate required
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): before SSL initialization
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Initializing application specific data for session authenticated
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: CERT: Pre-verification error: self signed certificate in certificate chain
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: Rejected by CERT at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS alert (write): fatal: unknown CA
mar 15 11:20:37 marte stunnel[30158]: LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1245: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Deallocating application specific data for session connect address
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Remote descriptor (FD=10) closed
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Local descriptor (FD=3) closed
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Service [example.com-https] finished (0 left)

CC: (none) => mageia


Note You need to log in before you can comment on or make changes to this bug.