Vulnerabilities > CVE-2011-3061 - Improper Certificate Validation vulnerability in Google Chrome
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy, which might allow man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201203-24.NASL description The remote host is affected by the vulnerability described in GLSA-201203-24 (Chromium, V8: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact : A context-dependent attacker could entice a user to open a specially crafted website or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker could also entice a user to open a specially crafted web site using Chromium, possibly resulting in cross-site scripting (XSS), or an unspecified SPDY certificate checking error. Workaround : There is no known workaround at this time. last seen 2020-04-16 modified 2012-06-21 plugin id 59616 published 2012-06-21 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59616 title GLSA-201203-24 : Chromium, V8: Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B8F0A391791011E18A4300262D5ED8EE.NASL description Google Chrome Releases reports : [109574] Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa. [112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis. [114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. Credit to miaubiz. [116398] Medium CVE-2011-3061: SPDY proxy certificate checking error. Credit to Leonidas Kontothanassis of Google. [116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer. Credit to Mateusz Jurczyk of the Google Security Team. [117417] Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. Credit to kuzzcc, Sergey Glazunov, PinkiePie and scarybeasts (Google Chrome Security Team). [117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG. [117588] High CVE-2011-3065: Memory corruption in Skia. Credit to Omair. [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler. last seen 2020-06-01 modified 2020-06-02 plugin id 58521 published 2012-03-29 reporter This script is Copyright (C) 2012-2013 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58521 title FreeBSD : chromium -- multiple vulnerabilities (b8f0a391-7910-11e1-8a43-00262d5ed8ee) NASL family Windows NASL id GOOGLE_CHROME_18_0_1025_142.NASL description The version of Google Chrome installed on the remote host is earlier than 18.0.1025.142 and is, therefore, affected by the following vulnerabilities : - An error exists in the v8 JavaScript engine that can allow invalid reads. (CVE-2011-3057) - An unspecified error exists related to bad interaction and last seen 2020-06-01 modified 2020-06-02 plugin id 58536 published 2012-03-30 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58536 title Google Chrome < 18.0.1025.142 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-215.NASL description Security update for Chromium and V8 to 18.0.1025.142. Following bugs are listed in the Chrome changelog : - [$500] [109574<https://code.google.com/p/chromium/issues/detail ?id=109574>] Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa. - [$500] [112317<https://code.google.com/p/chromium/issues/detail ?id=112317>] Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis. - [$500] [114056<https://code.google.com/p/chromium/issues/detail ?id=114056>] Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. Credit to miaubiz. - [116398 <https://code.google.com/p/chromium/issues/detail?id=116 398>] Medium CVE-2011-3061: SPDY proxy certificate checking error. Credit to Leonidas Kontothanassis of Google. - [116524 <https://code.google.com/p/chromium/issues/detail?id=116 524>] High CVE-2011-3062: Off-by-one in OpenType Sanitizer. Credit to Mateusz Jurczyk of the Google Security Team. - [117417 <https://code.google.com/p/chromium/issues/detail?id=117 417>] Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. Credit to kuzzcc, Sergey Glazunov, PinkiePie and scarybeasts (Google Chrome Security Team). - [$1000] [117471<https://code.google.com/p/chromium/issues/detail ?id=117471>] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG. - [$1000] [117588<https://code.google.com/p/chromium/issues/detail ?id=117588>] High CVE-2011-3065: Memory corruption in Skia. Credit to Omair. - [$500] [117794<https://code.google.com/p/chromium/issues/detail ?id=117794>] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler. The bugs [112317<https://code.google.com/p/chromium/issues/detail?id=112317>], [114056 <https://code.google.com/p/chromium/issues/detail?id=114056>] and [ 117471 <https://code.google.com/p/chromium/issues/detail?id=117471>] were detected using AddressSanitizer<http://code.google.com/p/address-sanitizer/wiki/Addre ssSanitizer> . We last seen 2020-06-05 modified 2014-06-13 plugin id 74592 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74592 title openSUSE Security Update : chromium (openSUSE-SU-2012:0492-1)
Oval
| accepted | 2013-08-12T04:06:50.508-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy, which might allow man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate. | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:14849 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2012-04-01T08:45:06.747-04:00 | ||||||||||||
| title | Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy | ||||||||||||
| version | 44 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 52762 CVE ID: CVE-2011-3058,CVE-2011-3059,CVE-2011-3060,CVE-2011-3061,CVE-2011-3062,CVE-2011-3063,CVE-2011-3064,CVE-2011-3065 Google Chrome是由Google开发的一款设计简单、高效的Web浏览工具。 Google Chrome 18.0.1025.142之前版本在实现上存在多个安全漏洞,攻击者可利用这些漏洞执行任意代码、绕过安全限制、执行跨站脚本执行攻击。 0 Google Chrome < 18.0.1025.142 厂商补丁: Google ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.google.com |
| id | SSV:60015 |
| last seen | 2017-11-19 |
| modified | 2012-03-29 |
| published | 2012-03-29 |
| reporter | Root |
| title | Google Chrome 18.0.1025.142之前版本多个内存破坏漏洞 |
References
- http://code.google.com/p/chromium/issues/detail?id=116398
- http://googlechromereleases.blogspot.com/2012/03/stable-channel-release-and-beta-channel.html
- http://osvdb.org/80739
- http://secunia.com/advisories/48618
- http://secunia.com/advisories/48691
- http://secunia.com/advisories/48763
- http://www.securityfocus.com/bid/52762
- http://www.securitytracker.com/id?1026877
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74411
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14849