Title

Authentication bypass with the "redirect" option

Description

Normally, clients are connected to the host(s) specified with the "connect" option on authentication success, and rejected on authentication failure (untrusted client certificate). When the "redirect" option is specified, such connections are supposed to be forwarded to the host(s) specified with "redirect" rather then rejected.

In the affected versions, only the initial connection is redirected to the host(s) specified with "redirect". The subsequent connections established with reused SSL/TLS sessions are always forwarded to the host(s) specified with "connect" as if they were successfully authenticated.

Exploitability

The vulnerability is exploitable under the following conditions:

• Stunnel versions 5.00 to 5.13 inclusive.
• Server mode mode is enabled with "client = no" (which is the default).
• Certificate-based authentication is enabled with "verify = 2" or higher.
• The "redirect" option is used.

Impact

This vulnerability bypasses the authentication based on client certificates when the "redirect" option is used.

CVSS v2 Score

• CVSS Base Score: 6.4
  • Impact Subscore: 4.9
  • Exploitability Subscore: 10
• CVSS Temporal Score: 5.6
• Overall CVSS Score: 5.6

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)

Recommendation

Upgrade to stunnel 5.14, or remove the "redirect" option from the configuration file.

Credits

• Vulnerability discovery: Johan Olofsson
• This report: Michał Trojnara

Timeline

• Vulnerability reported to the vendor: 23 Mar 2015
• Fix released: 25 Mar 2015
• Last update: 05 May 2015