PT-2008-3224 · Red Hat+1 · Red Hat Certificate System+1
Published
2008-07-07
·
Updated
2023-02-13
·
CVE-2008-1676
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Red Hat Certificate System versions 7.1 through 7.3
Netscape Certificate Management System version 6.x
Description
The issue allows remote attackers to bypass intended restrictions and conduct man-in-the-middle attacks by submitting a certificate signing request (CSR) and using the resulting certificate, due to the failure to recognize Certificate Authority profile constraints on Extensions.
Recommendations
For Red Hat Certificate System versions 7.1 through 7.3, consider restricting access to certificate signing requests until a fix is available.
For Netscape Certificate Management System version 6.x, avoid using the affected Certificate Authority profile constraints on Extensions until the issue is resolved.
As a temporary workaround, consider disabling the use of certificate signing requests in the affected systems until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netscape Certificate Management System
Red Hat Certificate System