Mac OS X CFNetwork Clients SSL Site Authentication Spoofing

2006-09-27T16:18:57
ID OSVDB:29267
Type osvdb
Reporter Adam Bryzak()
Modified 2006-09-27T16:18:57

Description

Vulnerability Description

Mac OS X contains a flaw that may allow a malicious user to spoof SSL site authentication. The issue is triggered when an SSL connection is established to a server whose certificate cannot be authenticated, but the normal SSL 'lock' icon is presented to the user. It is possible that the flaw may allow SSL site spoofing resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

Short Description

Mac OS X contains a flaw that may allow a malicious user to spoof SSL site authentication. The issue is triggered when an SSL connection is established to a server whose certificate cannot be authenticated, but the normal SSL 'lock' icon is presented to the user. It is possible that the flaw may allow SSL site spoofing resulting in a loss of integrity.

References:

Vendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=304460 Security Tracker: 1016952 Secunia Advisory ID:22187 Related OSVDB ID: 29268 Related OSVDB ID: 29273 Related OSVDB ID: 29270 Related OSVDB ID: 29276 Related OSVDB ID: 29269 Related OSVDB ID: 29271 Related OSVDB ID: 29272 Related OSVDB ID: 29274 Related OSVDB ID: 29275 ISS X-Force ID: 29277 FrSIRT Advisory: ADV-2006-3852 CVE-2006-4390 Bugtraq ID: 20271