Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-1263

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-1263
Last Modified 05 May 2014 01:32:35
Published 26 Feb 2014 08:55:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-1263

Summary

curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Vulnerable Systems

Operating System

  • Apple Mac Os X 10.9

  • Apple Mac Os X 10.9.1


References

MISC - https://gist.github.com/rmoriz/fb2b0a6a0ce10550ab73

MISC - http://twitter.com/okoeroo/statuses/437272014043496449

MISC - http://twitter.com/agl__/statuses/437029812046422016

CONFIRM - http://support.apple.com/kb/HT6150

CONFIRM - http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

CONFIRM - http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

CONFIRM - http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

SECUNIA - 57968

SECUNIA - 57966

SECUNIA - 57836

CONFIRM - http://curl.haxx.se/docs/adv_20140326C.html

Related Patches

Apple 2014-02-25 Mac OS X 10.9.2 Combo Update

Apple 2014-02-25 Mac OS X 10.9.2 Update


Last Updated: 27 May 2016 11:05:10