CVE-2023-40104 - Untrusted Cryptographic Certificates in ca-certificates Can Lead to Data Breach in TLS Communication

A recent vulnerability has been discovered in ca-certificates, which allows for the potential reading of encrypted TLS data due to the inclusion of untrusted cryptographic certificates. This security flaw could result in remote information disclosure without requiring any additional execution privileges. Notably, user interaction is not necessary for the exploit to be successful.

This long-read post will feature a code snippet, links to original references, and thorough explanation of the vulnerability and exploit details.

Details of the Vulnerability (CVE-2023-40104)

The vulnerability has been assigned the identifier CVE-2023-40104. This issue arises from the presence of untrusted cryptographic certificates in the ca-certificates package. The result is that encrypted TLS communication can potentially be intercepted and read by a malicious entity.

A code snippet demonstrating this vulnerability is provided below

// Vulnerable ca-certificates configuration
const tls = require('tls');
const fs = require('fs');

const options = {
  key: fs.readFileSync('server-key.pem'),
  cert: fs.readFileSync('server-cert.pem'),
  ca: fs.readFileSync('untrusted-ca-cert.pem')
};

const server = tls.createServer(options, (socket) => {
  console.log('server connected', socket.authorized ? 'authorized' : 'unauthorized');
  socket.write('welcome to the vulnerable server!\n');
  socket.setEncoding('utf8');
  socket.pipe(socket);
});

server.listen(800, () => {
  console.log('server bound');
});

In the above example, the server makes use of an untrusted certificate authority (CA) certificate in its configuration. The consequence is the potential for data transfer to be intercepted and read by malicious attackers.

To learn more about this vulnerability and the ca-certificates package, refer to the following links

1. NVD - CVE-2023-40104
2. ca-certificates GitHub Repository

Exploit Details

To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MITM) attack. This involves intercepting the communication between the affected server and a client that trusts the untrusted CA certificate. The attacker can then decrypt the intercepted TLS data, leading to information disclosure.

Remove untrusted CA certificates from the configuration.

2. Use only trusted CA certificates for TLS communication. In the code snippet provided earlier, replace 'untrusted-ca-cert.pem' with a trusted CA certificate file.
3. Regularly update packages and libraries, including ca-certificates, to ensure the latest security patches are applied.

Conclusion

CVE-2023-40104 is a critical vulnerability in the ca-certificates package that can potentially lead to remote information disclosure. By ensuring the use of trusted CA certificates and keeping systems up to date, developers and system administrators can safeguard against this risk.

Timeline

Published on: 02/15/2024 23:15:08 UTC
Last modified on: 02/16/2024 13:37:55 UTC