Next Page >>
certified
including the IP address of the recipient. I was working on S/MIME
messages and I thought about the signature validation process, where
some of the steps could require external information (like a CRL) to
be accessed. The interesting part of it is that the location of this
information can be included in the message itself, as the PKCS#7
package can also include the certificate used to generate the
signature.
I went into Microsoft documentation about the validation process from
Outlook, and found this:
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header
Manipulation Vulnerabilities
Release Date: 2010-07-02
Application: Cisco Content Services Switch (CSS) / ACE Products
Versions: Cisco CSS 11500 - 08.20.1.01
Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The certificate referenced in this posting is for demonstration purposes
*only*, and this is clearly indicated in Aruba's documentation:
"A server certificate installed in the controller verifies the
authenticity of the controller for 802.1x authentication. Aruba
controllers ship with a demonstration digital certificate. Until you
install a customer-specific server certificate in the controller, this
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format (ODF).
OpenOffice allows documents to be digitally signed by authors
using certified keys, allowing viewers to verify the integrity
and the origin based on the author's public key.
The author's public-key certificate, which can come from
a trusted third party, is embedded in the signed document.
II. Problem Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fetchmail-SA-2009-01: Improper SSL certificate subject verification
Topics: Improper SSL certificate subject verification
Author: Matthias Andree
Version: 1.0
Announced: 2009-08-06
necessary changes.
Details follow:
Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2730)
Dan Kaminsky discovered GnuTLS would still accept certificates with MD2
contains multiple denial of service (DoS) vulnerabilities that may
cause an interruption in voice services, if exploited. These
vulnerabilities were discovered internally by Cisco. The following
Cisco Unified Communications Manager services are affected:
* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap
Cisco has released free software updates that address these
contains multiple denial of service (DoS) vulnerabilities that may
cause an interruption in voice services, if exploited. These
vulnerabilities were discovered internally by Cisco. The following
Cisco Unified Communications Manager services are affected:
* Certificate Trust List (CTL) Provider
* Certificate Authority Proxy Function (CAPF)
* Session Initiation Protocol (SIP)
* Simple Network Management Protocol (SNMP) Trap
Cisco has released free software updates that address these
======================================================================
= Security Objectives Advisory (SECOBJADV-2008-01) =
======================================================================
Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability
http://www.security-objectives.com/advisories/SECOBJADV-2008-01/
AFFECTED: Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3)
Service Console package curl updated to version 7.15.5-2.1.el5_3.5
A cURL is affected by the previously published "null prefix attack",
caused by incorrect handling of NULL characters in X.509
certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker
could use the certificate during a man-in-the-middle attack and
potentially confuse cURL into accepting it by mistake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
protected by TLS.
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
configured to authenticate to the WebUI over HTTPS using a client
certificate, an attacker can potentially use the victim's credentials
temporarily to execute arbitrary HTTP request for each initiation of an
HTTPS session from the victim to the WebUI. This would happen without
any HTTPS/TLS warnings to the victim. This condition can essentially be
exploited by an attacker for command injection in beginning of a HTTPS
session between the victim and the ArubaOS WebUI.
There is a fairly in depth discussion of the issue here:
http://arstechnica.com/web/news/2010/01/facebook-att-play-fast-and-loose-with-user-authentication.ars
Not a routing issue, more of a proxy issue, and not uncommon in mobile carrier networks. Getting security right in a mobile application is tricky given how carriers manage Internet access. With the growth of smartphones these kinds of issues will become more prevalent until carriers refactor how they manage traffic via their proxy's. I'll also note that while the referenced article suggests the use of SSL, there are issues with support in the mobile environment for SSL in terms of which certificate authorities are pre-installed on phones, whether applications have access to the certificate store on the mobile device (or need an embedded certificate), how certificate chaining and wildcarding is supported, and so on.
*********** REPLY SEPARATOR ***********
On 1/16/2010 at 7:39 AM Michael Scheidell wrote:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:
Apache-SSL provides environment variables that are filled with
(client) certificate data. If the subject of a client certificate
contains special characters, parts of these variables can be overwritten
or be filled with other parts of memory.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:
> Dear Mr. Poehls,
>=20
> I think Microsoft does not consider metadata attached to a document as pa=
rt of the document and so they decided not to include it in the content pro=
tected by the certificate.=20
>=20
> This fits the way we use attaching metadata during the process of categor=
ization to enable retrieval of a document by means and taxonomies of the re=
cipient, not of the author. If instead, as you seem to propose, metadata wo=
uld be treated as part of the document, attaching the metadata needed for r=
Debian-specific: no
CVE ID : CVE-2009-4565
Debian bug : 564581
It was discovered that sendmail, a Mail Transport Agent, does not properly handle
a '\0' character in a Common Name (CN) field of an X.509 certificate.
This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server
certificate issued by a legitimate Certification Authority, and to bypass intended
access restrictions via a crafted client certificate issued by a legitimate
Certification Authority.
Problem Description:
A security vulnerability has been identified and fixed in sendmail:
sendmail before 8.14.4 does not properly handle a '\0' (NUL)
character in a Common Name (CN) field of an X.509 certificate, which
(1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
SMTP servers via a crafted server certificate issued by a legitimate
Certification Authority, and (2) allows remote attackers to bypass
intended access restrictions via a crafted client certificate issued by
a legitimate Certification Authority, a related issue to CVE-2009-2408
iSEC Partners Security Advisory - 2007-006-RubySSL
http://www.isecpartners.com
--------------------------------------------
Ruby Net::HTTPS library does not validate server certificate CN
Vendor: Ruby
Vendor URL: http://www.ruby-lang.org
Versions affected: 1.8.5, 1.8.6, Trunk Ruby
Systems Affected: All Ruby Platforms
Debian-specific: no
CVE Id(s) : CVE-2008-4989
Debian Bug : 505360
Martin von Gagern discovered that GNUTLS, an implementation of the
TLS/SSL protocol, handles verification of X.509 certificate chains
incorrectly if a self-signed certificate is configured as a trusted
certificate. This could cause clients to accept forged server
certificates as genuine. (CVE-2008-4989)
In addition, this update tightens the checks for X.509v1 certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ Severity: Normal
~ Title: GnuTLS: Certificate validation error
~ Date: January 14, 2009
~ Bugs: #245850
~ ID: 200901-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Aruba Mobility Controller Shared Default Certificate
Product:
Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php
Aruba mobility controllers use X.509 certificates to protect access to the web management interface and to provide secure wireless authentication, such as TLS, TTLS, PEAP, and Aruba-specific Captive Portal. By default the controller uses a built-in certificate that is shared by all deployed units across all customers. Administrators are not forced to generate new, implementation-specific key pairs to replace this shared one.
We have been following up on Ben Laurie's advisory and have replaced the
faulty certificate with a new one. In addition we created an advisory
for our users that outlines some general precautions they should take:
http://blog.beuchelt.org/2008/08/07/Some+Security+Advice+For+Our+OpenID+Users.aspx).
While these measure cannot guarantee safety, they can help improving the
situation. In addition, Robin Wilton has documented what happened here:
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
USN-612-3 addressed a weakness in OpenSSL certificate and key
generation in OpenVPN by introducing openssl-blacklist to aid in
detecting vulnerable private keys. This update enhances the
openssl-vulnkey tool to check Certificate Signing Requests, accept
input from STDIN, and check moduli without a certificate.
We apologize for the inconvenience.
Original advisory details:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
Summary
=======
Cisco IOS® devices that are configured for Internet Key Exchange
(IKE) protocol and certificate based authentication are vulnerable to
a resource exhaustion attack. Successful exploitation of this
vulnerability may result in the allocation of all available Phase 1
security associations (SA) and prevent the establishment of new IPsec
sessions.
use NSS, such as Firefox, to effect the necessary changes.
Details follow:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
needed to use the new NSS.
Original advisory details:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
Scheduled Release Date is around Aug. 17, 2009
Please visit our ATEN official site later.
http://www.aten.com/download/download.php
As for SSL Certificate, SSL Certificate import function has built into our KVM above with new firmware. We strongly suggest our KVM users to import their individual Certificate for advanced security concern. We will tell our KVM users how to generate their own Certificate by openssl tool in our product manual later.
Thanks,
ATEN SUPPORT
> Scheduled Release Date is around Aug. 17, 2009
>
> Please visit our ATEN official site later.
> http://www.aten.com/download/download.php
>
> As for SSL Certificate, SSL Certificate import function has built into
> our KVM above with new firmware. We strongly suggest our KVM users to
> import their individual Certificate for advanced security concern. We
> will tell our KVM users how to generate their own Certificate by
> openssl tool in our product manual later.
>
======================================================================
Secunia Research 15/04/2009
- Oracle BEA WebLogic Server Plug-ins Certificate Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
===============================================
Ben Laurie of Google's Applied Security team, while working with an
external researcher, Dr. Richard Clayton of the Computer Laboratory,
Cambridge University, found that various OpenID Providers (OPs) had
TLS Server Certificates that used weak keys, as a result of the Debian
Predictable Random Number Generator (CVE-2008-0166).
In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
the fact that almost all SSL/TLS implementations do not consult CRLs
(currently an untracked issue), this means that it is impossible to
Next Page>>
|
