CVE-2009-3552

GUI: Man in the middle attack possible on the GUI to Backend SSL connection

Severity Score

3.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually attacker-controlled, or modifying actions a user requested Red Hat Enterprise Virtualization Manager to perform.

En RHEV-M VDC versión 2.2.0, se detectó que el certificado SSL no fue comprobado cuando se usaba la interfaz Red Hat Enterprise Virtualization Manager del lado del cliente (una aplicación de navegador XAML de Windows Presentation Foundation (WPF)) para conectar con el Red Hat Enterprise Virtualization Manager. Un atacante en la red local podría utilizar este fallo para conducir un ataque de tipo man-in-the-middle, engañando al usuario para que piense que está visualizando el Red Hat Enterprise Virtualization Manager cuando el contenido está realmente controlado por el atacante, o modificando acciones que un usuario solicitó a Red Hat Enterprise Virtualization Manager realizar.

*Credits: N/A

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-10-05 CVE Reserved
2019-11-09 CVE Published
2024-08-07 CVE Updated
2024-11-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (5)

URL	Tag	Source
https://access.redhat.com/security/cve/cve-2009-3552	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3552	Issue Tracking
https://www.securityfocus.com/bid/42639	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2009-3552	2010-08-19
https://bugzilla.redhat.com/show_bug.cgi?id=528890	2010-08-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Enterprise Virtualization Manager Search vendor "Redhat" for product "Enterprise Virtualization Manager"				2.2 Search vendor "Redhat" for product "Enterprise Virtualization Manager" and version "2.2"		-		Affected