CVE-2021-0341
Improperly used crypto vulnerability in okhttp (Maven)
What is CVE-2021-0341 About?
A vulnerability in `verifyHostName` of `OkHostnameVerifier.java` allows a malicious certificate to be accepted for the wrong domain due to improperly used cryptography, leading to remote information disclosure. This vulnerability affects Android-8.1, Android-9, Android-10, and Android-11, requires no additional execution privileges, and no user interaction for exploitation. It is a critical flaw making remote information disclosure straightforward.
Affected Software
Technical Details
The vulnerability CVE-2021-0341 exists in the verifyHostName function within OkHostnameVerifier.java. The OkHostnameVerifier is responsible for verifying that the hostname presented in a certificate matches the hostname of the server the client is attempting to connect to, a critical step in preventing Man-in-the-Middle (MitM) attacks. The flaw is rooted in an 'improperly used crypto' mechanism, which suggests that cryptographic primitives or checks are either misconfigured, misused, or bypassed in a way that allows a certificate issued for one domain to be validated successfully for another, incorrect domain. This could involve issues like incorrect wildcard matching logic (e.g., *.example.com matching sub.domain.example.com when it shouldn't), insufficient validation of Subject Alternative Names (SANs), or flawed parsing of certificate fields. An attacker could present a specially crafted certificate signed by a trusted Certificate Authority (CA) that, due to the flawed verifyHostName logic, is deemed valid for the attacker's domain despite being intended for a different legitimate domain. This enables a remote attacker to impersonate a legitimate server, thereby facilitating information disclosure.
What is the Impact of CVE-2021-0341?
Successful exploitation may allow attackers to redirect user traffic to malicious servers impersonating legitimate ones, leading to remote information disclosure, data interception, or Man-in-the-Middle attacks.
What is the Exploitability of CVE-2021-0341?
Exploiting this vulnerability in OkHostnameVerifier.java requires an attacker to control a server and present a specially crafted X.509 certificate that, due to the improper cryptographic usage, is incorrectly validated as legitimate for a target domain. The attack is remote, as it occurs during the TLS/SSL handshake when an Android device attempts to establish a secure connection. No authentication or special privileges are needed from the perspective of the Android device itself. The primary prerequisite is that the Android device connects to a server controlled by the attacker, who can then serve the malicious certificate. User interaction is not required, making the attack highly potent once a connection is initiated. The key constraint is the attacker's ability to obtain or generate a certificate that can bypass the flawed hostname verification. Risk factors are high for applications that handle sensitive information and connect to internet resources where Man-in-the-Middle opportunities exist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-0341?
Available Upgrade Options
- com.squareup.okhttp3:okhttp
- <4.9.2 → Upgrade to 4.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/square/okhttp
- https://github.com/square/okhttp/issues/6724
- https://source.android.com/security/bulletin/2021-02-01
- https://osv.dev/vulnerability/GHSA-3cqm-mf7h-prrj
- https://github.com/square/okhttp/pull/6741
- https://github.com/square/okhttp/commit/f574ea2f5259d9040f264ddeb582fb1ce563f10c
- https://nvd.nist.gov/vuln/detail/CVE-2021-0341
- https://source.android.com/security/bulletin/2021-02-01
What are Similar Vulnerabilities to CVE-2021-0341?
Similar Vulnerabilities: CVE-2023-38507 , CVE-2022-4450 , CVE-2022-21921 , CVE-2021-43527 , CVE-2021-3449
