Vulnerabilities > CVE-2011-0199 - Improper Certificate Validation vulnerability in Apple mac OS X and mac OS X Server
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family | MacOS X Local Security Checks |
NASL id | MACOSX_10_6_8.NASL |
description | The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.8. This update contains security-related fixes for the following components : - App Store - ATS - Certificate Trust Policy - CoreFoundation - CoreGraphics - FTP Server - ImageIO - International Components for Unicode - Kernel - Libsystem - libxslt - MobileMe - MySQL - OpenSSL - patch - QuickLook - QuickTime - Samba - servermgrd - subversion |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 55416 |
published | 2011-06-24 |
reporter | This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/55416 |
title | Mac OS X 10.6.x < 10.6.8 Multiple Vulnerabilities |
code |
|
Seebug
bulletinFamily | exploit |
description | Bugtraq ID: 48412 CVE ID:CVE-2011-0196 CVE-2011-0197 CVE-2011-0198 CVE-2011-0199 CVE-2011-0200 CVE-2011-0201 CVE-2011-0202 CVE-2011-0203 CVE-2011-0204 CVE-2011-0205 CVE-2011-0206 CVE-2011-0207 CVE-2011-0208 CVE-2011-0209 CVE-2011-0210 CVE-2011-0211 CVE-2011-0212 CVE-2011-0213 CVE-2011-1132 Apple Mac OS X是一款商业性质的操作系统。 Apple Mac OS X 2011-004安全公告修复了多个安全漏洞,这些漏洞影响AirPort, App Store, ATS, Certificate Trust Policy, ColorSync, CoreFoundation, CoreGraphics, FTP Server, ImageIO, International Components for Unicode, MobileMe, QuickLook, QuickTime和servermgrd。 CVE-2011-0196: CNCVE ID:CNCVE-20110196 CNCVE-20110196 处理Wi-Fi帧存在越界读问题,当连接到Wi-Fi时,在同一网络的攻击者可使系统重置。 CVE-2011-0197: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 在某些条件下,App Store会记录用户AppleID密码到其他用户不可读的文件中。 CVE-2011-0198: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 处理TrueType字体存在堆缓冲区溢出,查看或下载包含恶意字体的文档可执行任意代码。 CVE-2011-0199: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 证书信任策略存在一个错误处理问题。如果扩展验证(EV)证书没有OCSP URL,并且启用了CRL,那么CRL不会被检查并会接收作废的证书作为合法证书。 CVE-2011-0200: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 处理嵌入ColorSync配置文件的图像时存在整数溢出,可导致堆缓冲区溢出。 CVE-2011-0201: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 处理CFStrings存在单字节缓冲区溢出,可导致应用程序崩溃或任意代码执行。 CVE-2011-0202: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 处理Type 1字体存在整数溢出,查看和下载嵌入特制字体的文档可导致任意代码执行。 CVE-2011-0203: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 xftpd存在路径校验错误,具有FTP访问的用户可列出系统文件。 CVE-2011-0204: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 ImageIO处理TIFF图像存在堆缓冲区溢出,查看特制的TIFF图像可导致应用程序崩溃或执行任意代码。 CVE-2011-0205: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 ImageIO处理JPEG2000图像存在堆缓冲区溢出,查看特制的TIFF图像可导致应用程序崩溃或执行任意代码。 CVE-2011-0206: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 ICU处理大写字符串存在缓冲区溢出,可使使用ICU的应用程序崩溃。 CVE-2011-0207: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 通过MobileMe连接判断用户Email别名时,邮件会通过HTTP提交请求,结果可导致一个具体有特权网络位置的攻击者读取用户MobileMe email别名。 CVE-2011-0208: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 QuickLook处理Microsoft office文件存在内存破坏,下载特制的Microsoft Office文件可使应用程序崩溃或执行任意代码。 CVE-2011-0209: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 CNCVE-20110209 QuickTime处理RIFF WAV文件存在整数溢出,查看特制WAV文件可使应用程序崩溃或执行任意代码。 CVE-2011-0210: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 CNCVE-20110209 CNCVE-20110210 QuickTime处理QuickTime电影文件中的示例表时存在内存破坏,查看特制电影文件可使应用程序崩溃或执行任意代码。 CVE-2011-0211: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 CNCVE-20110209 CNCVE-20110210 CNCVE-20110211 QuickTime处理QuickTime电影文件存在整数溢出,查看特制电影文件可使应用程序崩溃或执行任意代码。 CVE-2011-0212: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 CNCVE-20110209 CNCVE-20110210 CNCVE-20110211 CNCVE-20110212 QuickTime处理PICT图像存在缓冲区溢出,查看特制PICT图像文件可使应用程序崩溃或执行任意代码。 CVE-2011-0213: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 CNCVE-20110209 CNCVE-20110210 CNCVE-20110211 CNCVE-20110212 CNCVE-20110213 QuickTime处理JPEG图像存在缓冲区溢出,查看特制JPEG图像文件可使应用程序崩溃或执行任意代码。 CVE-2011-1132: CNCVE ID:CNCVE-20110196 CNCVE-20110196 CNCVE-20110197 CNCVE-20110198 CNCVE-20110199 CNCVE-20110200 CNCVE-20110201 CNCVE-20110202 CNCVE-20110203 CNCVE-20110204 CNCVE-20110205 CNCVE-20110206 CNCVE-20110207 CNCVE-20110208 CNCVE-20110209 CNCVE-20110210 CNCVE-20110211 CNCVE-20110212 CNCVE-20110213 CNCVE-20111132 处理IPV6套接字选项存在空指针引用错误,本地用户可使系统重置。 Apple Mac OS X Server 10.6.6 Apple Mac OS X Server 10.6.5 Apple Mac OS X Server 10.6.5 Apple Mac OS X Server 10.6.4 Apple Mac OS X Server 10.6.3 Apple Mac OS X Server 10.6.2 Apple Mac OS X Server 10.6.1 Apple Mac OS X Server 10.5.8 Apple Mac OS X Server 10.5.7 Apple Mac OS X Server 10.5.6 Apple Mac OS X Server 10.5.5 Apple Mac OS X Server 10.5.4 Apple Mac OS X Server 10.5.3 Apple Mac OS X Server 10.5.2 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.5 Apple Mac Os X Server 10.6.7 Apple Mac OS X Server 10.6 Apple Mac OS X Server 10.5 Apple Mac OS X 10.6.5 Apple Mac OS X 10.6.4 Apple Mac OS X 10.6.3 Apple Mac OS X 10.6.2 Apple Mac OS X 10.6.1 Apple Mac OS X 10.5.8 Apple Mac OS X 10.5.7 Apple Mac OS X 10.5.6 Apple Mac OS X 10.5.5 Apple Mac OS X 10.5.4 Apple Mac OS X 10.5.3 Apple Mac OS X 10.5.2 Apple Mac OS X 10.5.1 Apple Mac OS X 10.5 Apple Mac OS X 10.6 Apple Mac OS X 10.5 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0b760113a3a155269a3fba93a409c640031dd68f |
id | SSV:20665 |
last seen | 2017-11-19 |
modified | 2011-06-27 |
published | 2011-06-27 |
reporter | Root |
title | Apple Mac OS X 10.6.8之前版本存在多个安全漏洞 |