Improper Authentication Affecting aws/s2n-tls package, versions [,1.5.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-AWSS2NTLS-7675661
- published 11 Aug 2024
- disclosed 9 Aug 2024
- credit Unknown
How to fix?
Upgrade aws/s2n-tls to version 1.5.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authentication due to an API ordering issue. An attacker can bypass client authentication by manipulating the sequence of API calls related to authentication setup.
Note:
Server applications are impacted if client authentication is enabled by
calling s2n_connection_set_config()before callings2n_connection_set_client_auth_type().Applications are not impacted if these APIs are called in the opposite order or if client authentication is enabled on the config with
s2n_config_set_client_auth_type(). s2n-tls clients verifying server certificates are not impacted.
Workaround
Applications can workaround this issue by calling s2n_connection_set_config() after calling s2n_connection_set_client_auth_type(), or by enabling client authentication on the config with s2n_config_set_client_auth_type().