Authentication bypass with the "redirect" option
stunnel does not perform redirection when both "redirect" and "verifyChain" options are used, and a client authenticates with an untrusted certificate.
The vulnerability is exploitable under the following conditions:
- Stunnel versions 5.14 to 5.56 inclusive.
- Server mode mode is enabled with "client = no" (which is the default).
- PKI-based authentication is enabled with "verifyChain = yes".
- The "redirect" option is used.
This vulnerability bypasses authentication based on client certificates.
CVSS v2 Score
- CVSS Base Score: 5.0
- Impact Subscore: 2.9
- Exploitability Subscore: 10
CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Upgrade to stunnel 5.57 or later.
As a workaround, remove the "redirect" option from the configuration file.
- Vulnerability discovery: Rob Hoes
- This report: Michał Trojnara
- Vulnerability reported to the vendor: 08 Oct 2020
- Fix released: 11 Oct 2020
- Last update: 15 Mar 2023