libsoup SSL Certificate Validation Security Bypass Vulnerability

Bugtraq ID:	53232
Class:	Design Error
CVE:	CVE-2012-2132
Remote:	Yes
Local:	No
Published:	Apr 24 2012 12:00AM
Updated:	Aug 26 2012 02:50AM
Credit:	Ludwig Nussel
Vulnerable:	GNOME Libsoup 2.32.2
Not Vulnerable:

libsoup SSL Certificate Validation Security Bypass Vulnerability

libsoup is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.

libsoup 2.32.2 is vulnerable; other versions may also be vulnerable.

libsoup SSL Certificate Validation Security Bypass Vulnerability

An attacker can use readily available network utilities to exploit this issue.

libsoup SSL Certificate Validation Security Bypass Vulnerability

Solution:
Updates are available. Please see the references for more information.

libsoup SSL Certificate Validation Security Bypass Vulnerability

References:

• CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification (Ludwig Nussel)
  
• Libsoup Homepage (Gnome)