Veracode Vulnerability DatabaseVERACODE:24476Spoofing Attacks
0.012 Low
EPSS
Percentile
85.1%
pki is vulnerable to spoofing attacks. The certificate authority used the MD5 hash algorithm to sign all SCEP protocol responses. As MD5 is not collision resistant, an attacker could use this flaw to perform an MD5 chosen-prefix collision attack to generate attack-chosen output signed using the certificate authority’s key.
References
blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx
secunia.com/advisories/33826
secunia.com/advisories/34281
secunia.com/advisories/42181
securityreason.com/securityalert/4866
securitytracker.com/id?1024697
www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html
www.doxpara.com/research/md5/md5_someday.pdf
www.kb.cert.org/vuls/id/836068
www.microsoft.com/technet/security/advisory/961509.mspx
www.phreedom.org/research/rogue-ca/
www.redhat.com/security/updates/classification/#moderate
www.securityfocus.com/archive/1/499685/100/0/threaded
www.securityfocus.com/bid/33065
www.ubuntu.com/usn/usn-740-1
www.win.tue.nl/hashclash/rogue-ca/
www.win.tue.nl/hashclash/SoftIntCodeSign/
access.redhat.com/errata/RHSA-2010:0838
blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php
bugzilla.redhat.com/show_bug.cgi?id=648886
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
rhn.redhat.com/errata/RHSA-2010-0837.html
rhn.redhat.com/errata/RHSA-2010-0838.html
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03814en_us
www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html
Related
