SB2018010927 - Multiple vulnerabilities in InsideSecure MatrixSSL

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018010927

SB2018010927 - Multiple vulnerabilities in InsideSecure MatrixSSL

Published: January 9, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018010927
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Certificate Validation (CVE-ID: CVE-2017-1000417)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

MatrixSSL version 3.7.2 adopts a collision-prone OID comparison logic resulting in possible spoofing of OIDs (e.g. in ExtKeyUsage extension) on X.509 certificates.


2) Improper Certificate Validation (CVE-ID: CVE-2017-1000415)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation in its X.509 certificate validation process resulting in some certificates have their expiration (beginning) year extended (delayed) by 100 years.


Remediation

Install update from vendor's website.

References