CVE-2008-1676
System: incorrect handling of Extensions in CSRs (cs71)
Severity Score
7.5
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Red Hat PKI Common Framework (rhpki-common) in Red Hat Certificate System (aka Certificate Server or RHCS) 7.1 through 7.3, and Netscape Certificate Management System 6.x, does not recognize Certificate Authority profile constraints on Extensions, which might allow remote attackers to bypass intended restrictions and conduct man-in-the-middle attacks by submitting a certificate signing request (CSR) and using the resulting certificate.
Red Hat PKI Common Framework (rhpki-common) de Red Hat Certificate System (tambiƩn conocido como Certificate Server o RHCS) 7.1 hasta 7.3, y Netscape Certificate Management System 6.x; no reconocen las restricciones de perfil de la Autoridad Certificadora en Extensions, esto puede permitir a atacantes remotos evitar las restricciones pretendidas y realizar ataques de hombre-en-medio (man-in-the-middle) al enviar una Solicitud de Firma de Certificado (certificate signing request (CSR)) y utilizar el certificado resultante.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2008-04-03 CVE Reserved
- 2008-07-07 CVE Published
- 2024-07-13 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-255: Credentials Management Errors
- CWE-297: Improper Validation of Certificate with Host Mismatch
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/30929 | Third Party Advisory | |
| http://www.securityfocus.com/bid/30062 | Vdb Entry | |
| http://www.securitytracker.com/id?1020427 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/43573 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2008-0500.html | 2023-02-13 | |
| http://rhn.redhat.com/errata/RHSA-2008-0577.html | 2023-02-13 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=445227 | 2008-07-02 | |
| https://access.redhat.com/security/cve/CVE-2008-1676 | 2008-07-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | <= 6.2 Search vendor "Netscape" for product "Certificate Management System" and version " <= 6.2" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.1 Search vendor "Redhat" for product "Certificate System" and version "7.1" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | <= 6.2 Search vendor "Netscape" for product "Certificate Management System" and version " <= 6.2" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.2 Search vendor "Redhat" for product "Certificate System" and version "7.2" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | <= 6.2 Search vendor "Netscape" for product "Certificate Management System" and version " <= 6.2" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.3 Search vendor "Redhat" for product "Certificate System" and version "7.3" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.0 Search vendor "Netscape" for product "Certificate Management System" and version "6.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.1 Search vendor "Redhat" for product "Certificate System" and version "7.1" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.0 Search vendor "Netscape" for product "Certificate Management System" and version "6.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.2 Search vendor "Redhat" for product "Certificate System" and version "7.2" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.0 Search vendor "Netscape" for product "Certificate Management System" and version "6.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.3 Search vendor "Redhat" for product "Certificate System" and version "7.3" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.01 Search vendor "Netscape" for product "Certificate Management System" and version "6.01" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.1 Search vendor "Redhat" for product "Certificate System" and version "7.1" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.01 Search vendor "Netscape" for product "Certificate Management System" and version "6.01" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.2 Search vendor "Redhat" for product "Certificate System" and version "7.2" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.01 Search vendor "Netscape" for product "Certificate Management System" and version "6.01" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.3 Search vendor "Redhat" for product "Certificate System" and version "7.3" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.1 Search vendor "Netscape" for product "Certificate Management System" and version "6.1" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.1 Search vendor "Redhat" for product "Certificate System" and version "7.1" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.1 Search vendor "Netscape" for product "Certificate Management System" and version "6.1" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.2 Search vendor "Redhat" for product "Certificate System" and version "7.2" | - |
Safe
|
| Netscape Search vendor "Netscape" | Certificate Management System Search vendor "Netscape" for product "Certificate Management System" | 6.1 Search vendor "Netscape" for product "Certificate Management System" and version "6.1" | - |
Affected
| in | Redhat Search vendor "Redhat" | Certificate System Search vendor "Redhat" for product "Certificate System" | 7.3 Search vendor "Redhat" for product "Certificate System" and version "7.3" | - |
Safe
|