PT-2019-13851 · Jss+3 · Cryptomanager+3

Alexander Scheel

+1

·

Publicado

2019-10-14

·

Atualizado

2023-02-12

·

CVE-2019-14823

CVSS v3.1

7.4

Alta

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0
Description A flaw was found in the "Leaf and Chain" OCSP policy implementation where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
Recommendations For JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, consider disabling the "Leaf and Chain" OCSP policy until a patch is available to prevent implicit trust of the root certificate. Restrict access to applications using this policy to minimize the risk of exploitation. Avoid using the affected CryptoManager versions in sensitive environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improperly Implemented Security Check for Standard

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-358CWE-295

Identificadores relacionados

ALT-PU-2019-2940
ALT-PU-2019-3187
CESA-2019_3067
CVE-2019-14823
MGASA-2020-0018
RHSA-2019:3067
RHSA-2019:3225
RHSA-2019_3067

Produtos afetados

Alt Linux
Centos
Cryptomanager
Red Hat