Main Vulnerability Database Vulnerabilities #VU33133

Improper Certificate Validation in Botan - CVE-2018-9127

Published: August 3, 2020

Vulnerability identifier: #VU33133

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-9127

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Botan

Software vendor:
Randombit

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Botan 2.2.0 - 2.4.0 improperly handles wildcard certificates and accepts certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.

Remediation

Install updates from vendor's website.

External links

https://botan.randombit.net/security.html

Improper Certificate Validation in Botan - CVE-2018-9127

Description

Remediation

External links

Please verify you're human