Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3323

Overview

Vulnerability Score 7.6 7.6
CVE Id CVE-2008-3323
Last Modified 07 Mar 2011 10:10:36
Published 28 Jul 2008 01:41:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2008-3323

Summary

setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package.

Vulnerable Systems

Application

  • Redhat Cygwin 1.7


References

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=449929

XF - cygwin-setup-weak-security(44047)

VUPEN - ADV-2008-2321

BID - 30375

BUGTRAQ - 20080725 SECOBJADV-2008-02: Cygwin Installation and Update Process can be Subverted Vulnerability

MISC - http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt

SREASON - 4051

SECUNIA - 31271

MLIST - [cygwin-announce] 20080805 Updated: Setup.exe updated to version 2.573.2.3


Last Updated: 27 May 2016 10:48:09