Windows Phone 7 does not check certificate Common Names when sending or receiving emails over SSL.

Overview

Windows Phone 7 does not check CN (Common Name) of server certificates when receiving or sending e-mails using POP3/IMAP/SMTP servers using SSL.

Description

Windows Phone 7 fails to check the CN (Common Name) of server certificates when receiving or sending e-mails using POP3/IMAP/SMTP servers using SSL allowing an attacker to perform a man-in-the-middle attack between the phone and the mail server.

---

Impact

A remote attacker with the ability to pose as a man-in-the-middle may be able to view the login or session data in the corresponding protocol (e.g., SMTP, POP3, etc.).

---

Solution

Microsoft has acknowledged this vulnerability and stated that they will be releasing an update.

---

Vendor Information

389795

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation Affected

Notified: June 19, 2012 Updated: September 10, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	5.4	AV:N/AC:H/Au:N/C:C/I:N/A:N
Temporal	4.4	E:POC/RL:U/RC:UC
Environmental	4.6	CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

References

<http://www.microsoft.com/windowsphone/en-us/default.aspx&gt;

Acknowledgements

Thanks to the reporter that wishes to remain anonymous.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2012-2993
Date Public:	2012-09-17 Date First Published: