This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.

Overview
Talos has discovered a vulnerability in the Randombit Botan library. A programming error exists in a way Botan library implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. A security advisory was published on the Randombit website to inform users the vulnerability is now fixed in versions 2.1.0 and 1.10.16.

TALOS-2017-0294 (CVE-2017-2801) Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

Details

X509 Certificate Validation Bypass Vulnerability
The vulnerability is located in the function that Botan uses to parse the x509 distinguished name. More particularly in the equality comparison function `Botan::x500_name_cmp`. The vulnerability is located in the way of the white spaces are handled. A crafted x509 certificate with specific x509 DN strings for subject and issuer fields can be created.

With careful control over X509 distinguished names contents and depending on memory layout in the target application, it could be possible to craft a certificate where equality checks could pass or fail. This vulnerability can be exploited to fool systems into connecting to unauthorised computers. This can be abused to conduct man-in-the-middle attacks, or to trick systems to connect to a malicious server.

More details can be found in the vulnerability report:

TALOS-2017-0294

Tested Version
Randombit Botan 2.0.1

Coverage
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42015