AdaCore AWS.Client Man-in-the-Middle Vulnerability When Linked with GnuTLS

A man-in-the-middle vulnerability has been identified in AdaCore Ada Web Server (AWS) Client version 25.0.0, when it is linked with GnuTLS. The issue arises from insecure default settings that allow for interception of HTTPS communications, as the client does not properly verify the server's certificate unless a specific TLS configuration is applied. This flaw could be exploited to manipulate or eavesdrop on the communication between the client and server.

Impact

Exploitation of this vulnerability allows for man-in-the-middle attacks, where an attacker can intercept and potentially alter the communication between the client and server.

Reproduction

The vulnerability can be reproduced by using AdaCore AWS.Client version 25.0.0, linked with GnuTLS, and not specifying a TLS configuration. This will result in the client failing to verify the server's HTTPS certificate, allowing for a man-in-the-middle attack.

Remediation

Users can upgrade to AdaCore AWS.Client version 25.0.0 or later, which includes a fix for this vulnerability. For Debian users, the updated version is 20.2-2+deb11u1.