Improper Certificate Validation in OpenWrt

1) Improper Certificate Validation

EUVDB-ID: #VU35061

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-5101

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request. After an SSL connection is initialized via _ustream_ssl_init, and after any data (e.g. the client's HTTP request) is written to the stream using ustream_printf, the code eventually enters the function __ustream_ssl_poll, which is used to dispatch the read/write events

Mitigation

Install update from vendor's website.

Vulnerable software versions

OpenWrt: 15.05.1 - 18.06.4

CPE2.3

• cpe:2.3:o:openwrt.org:openwrt:15.05.1:*:*:*:*:*:*:*
• cpe:2.3:o:openwrt.org:openwrt:18.06.4:*:*:*:*:*:*:*

External links

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0893

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.