[Japanese]

JVNDB-2004-000231

KAME Racoon eay_check_x509cert Improper Certificate Verification Vulnerability

Overview

eay_check_x509cert() in Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 10.0 (High) [NVD Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


KAME Project
  • KAME Racoon 2004-05-03
Cybertrust Japan Co., Ltd.
  • Asianux Server 3.0
Red Hat, Inc.
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux Desktop 3.0

Impact

An attacker could bypass IKE authentication using invalid X.509 cerfiticates.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

KAME Project Cybertrust Japan Co., Ltd. Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2004-0607
References

  1. National Vulnerability Database (NVD) : CVE-2004-0607
  2. Secunia Advisory : SA12185
  3. SecurityFocus : 10546
  4. ISS X-Force Database : 16414
  5. SecurityTracker : 1010495
Revision History

  • [2008/05/21]
      Web page published