Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3433

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-3433
Last Modified 05 Sep 2008 05:43:03
Published 01 Aug 2008 10:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-3433

Summary

SpeedBit Download Accelerator Plus (DAP) before 8.6.3.9 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Vulnerable Systems

Application

  • Speedbit Download Accelerator Plus 8.0

  • Speedbit Download Accelerator Plus 8.1

  • Speedbit Download Accelerator Plus 8.5

  • Speedbit Download Accelerator Plus 8.6


References

MISC - http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz

MISC - http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf

FULLDISC - 20080728 Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations


Last Updated: 27 May 2016 10:48:12