Erlang OTP Public Key Module Improper Certificate Validation Vulnerability Allowing DNS Name Constraints Bypass

A vulnerability in the public_key module of Erlang OTP, specifically in versions 19.3 prior to 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1, has been identified. This vulnerability allows a DNS nameConstraints bypass by falling back on the subject CommonName during TLS hostname verification. The issue arises because the function pubkey_cert:validate_names/6 only checks Subject Alternative Name (SAN) DNS entries against nameConstraints. According to RFC 5280, a permitted DNS subtree only restricts certificates with DNS-typed names. A leaf certificate without a SAN can still satisfy any permitted DNS constraint, regardless of its CommonName. Additionally, the function public_key:pkix_verify_hostname/3 reverts to using the CommonName when no SAN is present, leading to potential misidentification of hostnames. This vulnerability could be exploited by a subordinate Certificate Authority (CA) with restricted DNS nameConstraints, allowing them to issue a certificate that the OTP TLS client mistakenly accepts for an out-of-scope hostname.

Impact

Exploitation of this vulnerability can lead to a bypass of DNS nameConstraints, allowing a certificate to be accepted for a hostname that should be out of scope. This could facilitate a Man-in-the-Middle attack, where an attacker intercepts and alters communications by presenting a forged certificate for a different domain.

Reproduction

The vulnerability can be reproduced by using the ssl:connect function with the verify_peer option, a trusted CA, Server Name Indication (SNI), and the strict HTTPS hostname matcher. This combination triggers the vulnerability by allowing a certificate to be accepted based on its CommonName, despite being issued in violation of DNS nameConstraints.

Remediation

Users can update to Erlang/OTP versions 26.2.5.21, 27.3.4.12, 28.5.0.1, or 29.0.1. For those using version 19.3, a custom verify_fun can be implemented to ensure TLS connections fail if the certificate lacks a SAN extension or a valid domain name.