CVE-2020-1887: 
vulnerability analysis and mitigation

Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to MITM osquery traffic in the absence of a configured root chain of trust (NVD).

The vulnerability stems from improper certificate validation in osquery's HTTP client implementation. The issue specifically relates to how the server certificate is verified against the hostname osquery attempts to connect to. Without proper validation callback, Boost would allow connections regardless of hostname match. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.1 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability could allow an attacker to perform Man-in-the-Middle (MITM) attacks against osquery traffic when there is no configured root chain of trust. This could potentially lead to interception and manipulation of data being transmitted between osquery and its intended destination (NVD).

The vulnerability has been fixed in osquery version 4.2.0. Users should upgrade to this version or later to receive the security fix. The fix implements proper hostname verification in the TLS certificate validation process (Github PR).