Skip to content

[Bug 574921] Broken TLS server certificate validation in Eclipse ioFog agent
Bugzilla Link 574921
Status NEW
Importance P3 normal
Reported Jul 19, 2021 23:18 EDT
Modified Oct 21, 2021 15:51 EDT

Description

From the security inbox:

--
To me it looks like as if the ioFog agent fails to properly validate server side TLS certificates:

See: https://github.com/eclipse-iofog/Agent/blob/23b787fc165f4d4f0a5c1d7b8d58d705e73ebc3e/iofog-agent-daemon/src/main/java/org/eclipse/iofog/utils/trustmanager/X509TrustManagerImpl.java#L33-L45

This is present in ioFog 2.0, but the same code is also part of the most recent development branch.

To my understanding of the code, the validator only checks if the server presents at least one certificate which is signed by the trust anchor. However, this can basically be any certificate.

Additionally, timestamps and hostnames not checked.

If this is the case, then I think a CVE ID should be assigned.\

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent