#VU29246 Improper Certificate Validation in axel - CVE-2020-13614

Cybersecurity Help s.r.o.

Published: 2020-06-25

Vulnerability identifier: #VU29246

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-13614

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
axel
Other software / Other software solutions

Vendor: Axel Download Accelerator

Description

The vulnerability allows a remote attacker to perform a man-in-the-Middle (MitM) attack.

The vulnerability exists in in ssl.c when Axel fails to perform hostname verification during TLS connection. A remote attacker can supply a valid SSL certificate from another domain and perform a Man-in-the-Middle attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

axel: 2.17 - 2.17.7

External links
https://lists.opensuse.org/opensuse-security-announce/2020-06/msg00006.html
https://lists.opensuse.org/opensuse-security-announce/2020-06/msg00010.html
https://github.com/axel-download-accelerator/axel/issues/262
https://github.com/axel-download-accelerator/axel/releases/tag/v2.17.8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 34 update for axel

Fedora 33 update for axel

Improper Certificate Validation in axel (Alpine package)

OpenSUSE Linux update for axel

MitM attack in Axel