PT-2015-6236 · Squid+4 · Squid+5

Publicado

2014-04-24

Atualizado

2019-12-27

CVE-2015-3455

CVSS v2.0

2.6

Baixa

Vetor

AV:N/AC:H/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Squid versions 3.2.x through 3.2.13 Squid versions 3.3.x through 3.3.13 Squid versions 3.4.x through 3.4.12 Squid versions 3.5.x through 3.5.3

Description The issue arises when Squid is configured with client-first SSL-bump and fails to properly validate the domain or hostname fields of X.509 certificates. This allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

Recommendations For Squid versions 3.2.x through 3.2.13, update to version 3.2.14 or later. For Squid versions 3.3.x through 3.3.13, update to version 3.3.14 or later. For Squid versions 3.4.x through 3.4.12, update to version 3.4.13 or later. For Squid versions 3.5.x through 3.5.3, update to version 3.5.4 or later.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2014-1531

ALT-PU-2015-1383

CESA-2015_2378

CVE-2015-3455

MGASA-2015-0191

RHSA-2015:2378

RHSA-2015_2378

SUSE-SU-2016:2008-1

Produtos afetados

Alt Linux

Centos

Red Hat

Squid

Squid Cache

Suse

PT-2015-6236 · Squid+4 · Squid+5

CVE-2015-3455

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 94