HistoryEdit

RUSTSEC-2016-0001

SSL/TLS MitM vulnerability due to insecure defaults

Issued
Package
openssl (crates.io)
Type
Vulnerability
Keywords
#ssl #mitm
Aliases
Details
https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0
CVSS Score
8.1 HIGH
CVSS Details
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched
  • >=0.9.0

Description

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification.

Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks.

The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).