SSL certificate verification disabled in openframeworks/openframeworks

Valid

Reported on

Mar 10th 2022


Description

This report is strange, partially because the existence of this code has been acknowledged without any alarm about its security implication(s), and also because a pull request that would fix the vulnerability (opened as a bug patch) has been open for over two years! Having SSL certificate verification disabled is usually a bad idea because it opens users (in this case, developers' projects) to the availability of man-in-the-middle attacks that utilize self-signed SSL certificates as a way to 'spoof' a secure connection.

Impact

This vulnerability is capable of allowing attackers to intercept data sent over HTTPS connections that are handled by the ofURLFileLoaderImpl::handleRequest function.

Occurrences

Context: ofHttpResponse ofURLFileLoaderImpl::handleRequest(const ofHttpRequest & request)

curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);
We are processing your report and will contact the openframeworks team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the openframeworks team and are waiting to hear back 2 months ago
2 months ago

Maintainer


Thanks - the PR has just been merged, but I imagine we need to do the same for CURLOPT_SSL_VERIFYPEER too?

https://github.com/openframeworks/openFrameworks/pull/6548

openframeworks/openframeworks maintainer validated this vulnerability 2 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Michael Rowley submitted a
2 months ago
Michael Rowley
2 months ago

Researcher


Yes, as far as I'm aware you'd ideally have CURLOPT_SSL_VERIFYPEER set to true as well as the host verification set to 2. I've submitted a pull request with these changes (linked above) - the default values for these variables is their secure ones (true & 2) but I decided to leave the curl_easy_setopt calls in to avoid any regression-based bugs, it might be simpler to remove the two lines altogether if you're sure that there is no way the values of the flags could deviate from their defaults at runtime.

2 months ago

Maintainer


Thanks - could you submit your branch / patch as a Pull Request and we'll merge it in?

Michael Rowley
2 months ago

Researcher


I've opened the pull request (#6894)

We have sent a fix follow up to the openframeworks team. We will try again in 7 days. 2 months ago
openframeworks/openframeworks maintainer confirmed that a fix has been merged on b4dacc 2 months ago
Michael Rowley has been awarded the fix bounty
to join this conversation