CVE-2018-10377 - Insufficient Validation of Burp Collaborator Server Certificate

1. Vulnerability Properties

Title: Insufficient Validaton of Burp Collaborator Server Certificate
CVE ID: CVE-2018-10377
CVSSv3 Base Score: 5.4 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vendor: PortSwigger Ltd
Products: Burp Suite Professional
Advisory Release Date: 15 June 2018
Advisory URL: https://integritylabs.io/advisories/cve-2018-10377/
Credits: Discovery by Bruno Morisson <bm[at]integrity.pt>

2. Vulnerability Summary

Burp Suite Professional does not correctly validate the Burp Collaborator server TLS certificate. It fails to check if the certificate CN matches the hostname, making it vulnerable to an active MITM attack.

Assessment from the vendor:

The impact of this bug is that if an attacker performed an active MITM attack within the network that is hosting the Collaborator server, then they would be able to correlate interaction data with polling clients. This would not normally be sufficient to infer specific vulnerabilities. (Note that for an attacker on the same network as the Burp user, the impact is lower, because the attacker can already view all traffic to the application and correlate requests with resulting Collaborator interactions.)

3. Technical Details

For PoC, just use a valid certificate for a completely different domain than the one used on the Burp Collaborator server, and connect to it. All checks will be OK, and when polling the server (using the scanner for instance), there’s no warning or failure, and Burp connects.

4. Vulnerable Versions

• Burp Suite Professional <= 1.7.33

5. Solution

• Update to version 1.7.34

6. Vulnerability Timeline

• 14/Apr/18 - Bug reported to vendor via HackerOne
• 23/Apr/18 - Bug verified by vendor and bounty awarded
• 13/Jun/18 - Fixed Version Released
• 15/Jun/18 - Advisory Released

7. References

• http://releases.portswigger.net/2018/06/1734.html
• https://hackerone.com/reports/337680
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10377