Zero Install 'Common Name' Field Security Bypass Vulnerability
BID:51983
Info
Zero Install 'Common Name' Field Security Bypass Vulnerability
| Bugtraq ID: | 51983 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 13 2012 12:00AM |
| Updated: | Feb 13 2012 12:00AM |
| Credit: | The vendor reported this issue. |
| Vulnerable: |
Zero Install Zero Install 1.5 |
| Not Vulnerable: |
Zero Install Zero Install 1.6 |
Discussion
Zero Install 'Common Name' Field Security Bypass Vulnerability
Zero Install is prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
Attackers can exploit this issue to spoof a valid server and conduct man-in-the-middle attacks. Successful exploits will cause victims to accept the certificates assuming they are from a legitimate site.
Versions prior to Zero Install 1.6 are vulnerable.
Zero Install is prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
Attackers can exploit this issue to spoof a valid server and conduct man-in-the-middle attacks. Successful exploits will cause victims to accept the certificates assuming they are from a legitimate site.
Versions prior to Zero Install 1.6 are vulnerable.
Exploit / POC
Zero Install 'Common Name' Field Security Bypass Vulnerability
Attackers can use readily available tools to exploit this issue.
Attackers can use readily available tools to exploit this issue.
Solution / Fix
Zero Install 'Common Name' Field Security Bypass Vulnerability
Solution:
Updates are available. Please see the references for more details.
Solution:
Updates are available. Please see the references for more details.
References
Zero Install 'Common Name' Field Security Bypass Vulnerability
References:
References:
- 0install 1.6 has been released (Zero Install)
- Zero Install Homepage (Zero Install)