Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls

GO-2021-0154 · CVE-2014-7189

Published May 25, 2022 · Modified Jun 3, 2024

Description

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors.

If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

References

FIX https://go.dev/cl/148080043
REPORT https://go.dev/issue/53085
WEB https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes