PT-2010-2902 · Libesmtp · Libesmtp
Kees Cook
·
Published
2010-03-31
·
Updated
2010-05-22
·
CVE-2010-1194
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
libESMTP versions 1.0.3.r1 through 1.0.4
Description
The issue arises from the
match component function in smtp-tls.c, which incorrectly treats two strings as equal if one is a substring of the other. This allows remote attackers to spoof trusted certificates by crafting a subjectAltName.Recommendations
For libESMTP versions 1.0.3.r1 through 1.0.4, consider disabling the
match component function until a patch is available to prevent remote attackers from spoofing trusted certificates.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Libesmtp