exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 7 of 7 RSS Feed

CVE-2008-4989

Status Candidate

Overview

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

Related Files

Debian Linux Security Advisory 1719-2
Posted Feb 28, 2009
Authored by Debian | Site debian.org

Debian Security Advisory 1719-2 - Changes in DSA-1719-1 caused GNUTLS to reject X.509v1 certificates as CA root certificates by default, as originally described in the documentation. However, it turned out that there is still significant use of historic X.509v1 CA root certificates, so this constitutes an unacceptable regression. This update reverses this part of the changes in DSA-1719-1. Note that the X.509v1 certificate format does not distinguish between server and CA certificates, which means that an X.509v1 server certificates is implicitly converted into a CA certificate when added to the trust store (which was the reason for the change in DSA-1719-1).

tags | advisory, root
systems | linux, debian
advisories | CVE-2008-4989
SHA-256 | ddaa4f427a58bff69f2ca3a2aefc0c3300a52b36c422095c425fa6774c24fe5c
Debian Linux Security Advisory 1719-1
Posted Feb 10, 2009
Authored by Debian | Site debian.org

Debian Security Advisory 1719-1 - Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine.

tags | advisory, protocol
systems | linux, debian
advisories | CVE-2008-4989
SHA-256 | 4f44055225319bc86bc380c24ce98f7fcde7c10571fccfac2926e45d7e7df4ac
Gentoo Linux Security Advisory 200901-10
Posted Jan 15, 2009
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200901-10 - A certificate validation error in GnuTLS might allow for spoofing attacks. Martin von Gagern reported that the _gnutls_x509_verify_certificate() function in lib/x509/verify.c trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate. Versions less than 2.4.1-r2 are affected.

tags | advisory, arbitrary, spoof
systems | linux, gentoo
advisories | CVE-2008-4989
SHA-256 | 546a34c942ac770823964c45d53398b233b2efafe5e1b7e29d324f13c99ef895
Ubuntu Security Notice 678-1
Posted Nov 26, 2008
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice USN-678-1 - Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

tags | advisory, remote
systems | linux, ubuntu
advisories | CVE-2008-4989
SHA-256 | 539f7c707d1cb23af98c59af3f2135292874d0c88bb0f3a94232993f1d0dc46b
Mandriva Linux Security Advisory 2008-227
Posted Nov 18, 2008
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2008-227-1 - Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates. It was found that the previously-published patch to correct this issue caused a regression when dealing with self-signed certificates. An updated patch that fixes the security issue and resolves the regression issue has been applied to these packages.

tags | advisory, spoof
systems | linux, mandriva
advisories | CVE-2008-4989
SHA-256 | bac14626a031686f97e9d85f053eab14d2203b73251d868c94d7cd0108d40380
Pardus Linux Security Advisory 2008.70
Posted Nov 14, 2008
Authored by Pardus Linux, Pardus

Pardus Linux Security Advisory 2008-70 -A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when validating the X.509 certificate chain and can be exploited to spoof arbitrary names e.g. during a Man-in-the-Middle (MitM) attack.

tags | advisory, arbitrary, spoof
systems | linux
advisories | CVE-2008-4989
SHA-256 | 3c2662b7e460287e9cc145ea7d0b9487ff84e81276c0932011ff5059ef43322b
Mandriva Linux Security Advisory 2008-227
Posted Nov 13, 2008
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates. The updated packages have been patched to correct this issue.

tags | advisory, spoof
systems | linux, mandriva
advisories | CVE-2008-4989
SHA-256 | 0111abeb08bb42e780b644937c300f302aebebda1a1f47a4e9b45a5b6d908d34
Page 1 of 1
Back1Next

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close