PT-2018-18749 · Openssl+1 · Libressl+1
Christian Heimes
·
Published
2018-03-24
·
Updated
2024-06-15
·
CVE-2018-8970
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
LibreSSL versions 2.7.0
Description
The issue arises from the
int x509 param set hosts function in lib/libcrypto/x509/x509 vpm.c, which fails to handle a specific special case of a zero name length. This oversight leads to the silent omission of hostname verification, allowing man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.Recommendations
For LibreSSL version 2.7.0, update to version 2.7.1 to resolve the issue.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Libressl
Suse