CVE-2012-5662 - x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subjec

CVE-2012-5662

Summary

x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

Vulnerable Configurations

cpe:2.3:a:paul_mattes:x3270:3.3.5:*:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.5:*:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.6:*:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.6:*:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.7:*:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.7:*:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:-:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:-:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:p1:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:p1:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:p2:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:p2:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:p3:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.8:p3:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.9:ga11:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.9:ga11:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.9:ga12:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.9:ga12:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.10:ga3:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.10:ga3:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.10:ga4:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.10:ga4:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.10:ga5:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.10:ga5:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.11:beta2:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.11:beta2:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.11:beta4:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.11:beta4:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.11:ga6:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.11:ga6:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:beta6:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:beta6:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:ga10:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:ga10:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:ga11:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:ga11:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:ga7:*:*:*:*:*:*
cpe:2.3:a:paul_mattes:x3270:3.3.12:ga7:*:*:*:*:*:*

CVSS

Base:	5.8 (as of 29-08-2017 - 01:32)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:N

refmap via4

confirm	http://sourceforge.net/projects/x3270/files/x3270/3.3.12ga12/ https://bugzilla.redhat.com/show_bug.cgi?id=889373
osvdb	91572
secunia	52650
xf	x3270-cve20125662-spoofing(82984)

Last major update

29-08-2017 - 01:32

Published

27-05-2014 - 14:55

Last modified

29-08-2017 - 01:32