0.9.0
0.9.0
CVE-2016-10931 affects versions of rust-openssl prior to 0.9.0, exposing applications to man-in-the-middle (MITM) attacks. The vulnerability stems from insecure default configurations, including disabled certificate verification and the absence of an API for hostname verification. This issue was resolved in version 0.9.0 by enabling certificate verification by default and providing APIs for hostname verification through SslConnector and SslAcceptor.
An attacker exploiting this vulnerability can intercept and potentially modify communications between a client and server. Without proper certificate verification, the attacker can present a fraudulent certificate, tricking the client into believing it's communicating with a legitimate server. The lack of hostname verification further exacerbates the risk, as the attacker can impersonate any domain. This could lead to data breaches, credential theft, and the execution of malicious code. The impact is particularly severe in applications handling sensitive data, such as financial transactions or personal information.
CVE-2016-10931 was published on November 5, 2016. While no widespread, automated exploitation campaigns have been publicly reported, the vulnerability's nature makes it attractive to targeted attacks. The lack of default certificate verification is a common attack vector. There are publicly available proof-of-concept (POC) exploits demonstrating the vulnerability's impact. This CVE is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation.
漏洞利用状态
EPSS
0.18% (40% 百分位)
CVSS 向量
The primary mitigation is to upgrade to rust-openssl version 0.9.0 or later. If upgrading is not immediately feasible, developers must explicitly configure certificate verification and hostname verification. This involves utilizing the SslConnector and SslAcceptor types instead of the lower-level SslContext. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious TLS traffic patterns. Regularly review and update OpenSSL configurations to ensure best practices are followed. After upgrading, confirm proper certificate verification by attempting a connection to a known, trusted HTTPS endpoint and verifying the certificate chain.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2016-10931 describes a vulnerability in rust-openssl versions before 0.9.0 where insecure defaults (disabled certificate verification, no hostname verification) allow man-in-the-middle attacks.
You are affected if your application uses rust-openssl versions prior to 0.9.0 and does not explicitly configure certificate verification and hostname verification.
Upgrade to rust-openssl version 0.9.0 or later. If upgrading isn't possible, configure certificate verification and hostname verification using SslConnector and SslAcceptor.
While no widespread campaigns are known, the vulnerability is attractive to targeted attacks and POC exploits are available.
Refer to the rust-openssl project's release notes and security advisories on their GitHub repository for details: https://github.com/rust-openssl/rust-openssl