Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CWE-295 in go SDK,client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. #41175

Closed
wangting1995 opened this issue Sep 2, 2020 · 3 comments

Comments

@wangting1995
Copy link

wangting1995 commented Sep 2, 2020

What version of Go are you using (go version)?

$ go version 1.14.6
$ grpc version  1.26.0

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

What did you do?

A certification validation error occurred when using Defensics Fuzz that is a tool for checking security vulnerabilities to test the gRPC service port with SSL authentation.
We have used the Defensics Fuzz Testing Tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authentication.
We highly suspected it that a flaw in Go language tls authentication
Please confirm whether the go language has this error?

What did you expect to see?

authentication failed

What did you see instead?

authentication passed

@wangting1995 wangting1995 changed the title We have used the Synopsys Defensics tool to test the grpc service port. The tool distorted the client certificate signature content and tried to establish communication. The packet capture showed that the client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. Please confirm whether the go language has this error? CWE-295 in go SDK,client message was malformed, however, in the server tls authentication, it was found that Go's crypto\x509\x509.go passed authenticated. Sep 2, 2020
@davecheney
Copy link
Contributor

@wangting1995 without a way to reproduce your issue we cannot investigate. Please update the issue to include a self contained program that demonstrates the issue. Thank you.

@davecheney davecheney added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Sep 2, 2020
@networkimprov
Copy link

@wangting1995 please email more info to security@golang.org. Please do not post it here.
More: https://golang.org/security

cc @FiloSottile

@gopherbot remove WaitingForInfo

@gopherbot gopherbot removed the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Sep 3, 2020
@FiloSottile
Copy link
Contributor

Closing this as there is not enough information for an investigation. Please follow golang.org/security if you have a report.

@golang golang locked and limited conversation to collaborators Sep 3, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants