Improper Certificate Validation Affecting syslog-ng/syslog-ng package, versions [,4.8.2)

Affected versions of this package are vulnerable to Improper Certificate Validation due to the tls_wildcard_match function. An attacker can impersonate legitimate servers by exploiting the lax wildcard matching in TLS hostname verification.

From 51e5fc164c5b6c1b44e922fbf6ea1fc09c1bc368 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Oct 2024 11:14:29 +0200
Subject: [PATCH] transport: correct matching for wildcards

Wildcards can only match the leading part and should never
match partially either.
---
 lib/transport/tls-verifier.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/transport/tls-verifier.c b/lib/transport/tls-verifier.c
index 606ad0216..fc5c6c157 100644
--- a/lib/transport/tls-verifier.c
+++ b/lib/transport/tls-verifier.c
@@ -94,6 +94,12 @@ tls_wildcard_match(const gchar *host_name, const gchar *pattern)
           goto exit;
         }
 
+      if (g_strrstr(pattern_parts[i], "*") && (g_strcmp0(pattern_parts[i], "*") || i != 0))
+        {
+          /* wildcards only on leading part and never as partial wildcard */
+          goto exit;
+        }
+
       lower_pattern = g_ascii_strdown(pattern_parts[i], -1);
       lower_hostname = g_ascii_strdown(hostname_parts[i], -1);
 
-- 

• GitHub Commit
• GitHub Commit
• Vulnerable Code