ID CVE-2002-0862
Summary The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
References
Vulnerable Configurations
  • cpe:2.3:a:adam_megacz:tinyssl:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:adam_megacz:tinyssl:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0.1:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0.1:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie_for_macintosh:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie_for_macintosh:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie_for_macintosh:5.1:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie_for_macintosh:5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie_for_macintosh:5.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie_for_macintosh:5.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:98:*:mac:*:*:*:*:*
    cpe:2.3:a:microsoft:office:98:*:mac:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2001:*:macintosh:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2001:*:macintosh:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2001:sr1:mac_os:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2001:sr1:mac_os:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:v.x:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:v.x:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:4.5:*:macos:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:4.5:*:macos:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:5.0:*:macos:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:5.0:*:macos:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:5.0.1:*:macos:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:5.0.1:*:macos:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:5.0.2:*:macos:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:5.0.2:*:macos:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:5.0.3:*:macos:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:5.0.3:*:macos:*:*:*:*:*
  • cpe:2.3:o:baltimore_technologies:mailsecure:*:*:*:*:*:*:*:*
    cpe:2.3:o:baltimore_technologies:mailsecure:*:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp3:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp3:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:*:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:*:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:alpha:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:alpha:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
CVSS
Base: 7.5 (as of 30-04-2019 - 14:27)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2011-05-16T04:00:14.140-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
    family windows
    id oval:org.mitre.oval:def:1056
    status accepted
    submitted 2004-07-12T12:00:00.000-04:00
    title Microsoft Certificate Validation Flaw Identity Spoofing Vulnerability
    version 71
  • accepted 2011-05-16T04:00:52.883-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
    family windows
    id oval:org.mitre.oval:def:1332
    status accepted
    submitted 2004-07-12T12:00:00.000-04:00
    title Windows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 1)
    version 71
  • accepted 2011-05-16T04:02:35.841-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Anna Min
      organization BigFix, Inc
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
    family windows
    id oval:org.mitre.oval:def:2671
    status accepted
    submitted 2004-07-11T12:00:00.000-04:00
    title Windows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 2)
    version 69
refmap via4
bugtraq
  • 20020805 IE SSL Vulnerability
  • 20020812 IE SSL Exploit
  • 20020819 Insufficient Verification of Client Certificates in IIS 5.0 pre sp3
xf ssl-ca-certificate-spoofing(9776)
Last major update 30-04-2019 - 14:27
Published 04-10-2002 - 04:00
Last modified 30-04-2019 - 14:27
Back to Top