Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-1266

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2014-1266
Last Modified 10 Jul 2015 09:59:57
Published 22 Feb 2014 12:05:21
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-1266

Summary

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.

Vulnerable Systems

Operating System

  • Apple Iphone Os 6.0

  • Apple Iphone Os 6.0.1

  • Apple Iphone Os 6.0.2

  • Apple Iphone Os 6.1

  • Apple Iphone Os 6.1.2

  • Apple Iphone Os 6.1.3

  • Apple Iphone Os 6.1.4

  • Apple Iphone Os 6.1.5

  • Apple Iphone Os 7.0

  • Apple Iphone Os 7.0.1

  • Apple Iphone Os 7.0.2

  • Apple Iphone Os 7.0.3

  • Apple Iphone Os 7.0.4

  • Apple Iphone Os 7.0.5

  • Apple Mac Os X 10.9

  • Apple Mac Os X 10.9.1

Application

  • Apple Tv 6.0

  • Apple Tv 6.0.1


References

MISC - https://www.imperialviolet.org/2014/02/22/applebug.html

MISC - https://news.ycombinator.com/item?id=7281378

CONFIRM - http://support.apple.com/kb/HT6148

CONFIRM - http://support.apple.com/kb/HT6147

CONFIRM - http://support.apple.com/kb/HT6146

MISC - http://it.slashdot.org/comments.pl?sid=4821073&cid=46310187

MISC - https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-24.html

MISC - https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html

CONFIRM - http://support.apple.com/kb/HT6150

Related Patches

Apple 2014-02-25 Mac OS X 10.9.2 Combo Update

Apple 2014-02-25 Mac OS X 10.9.2 Update


Last Updated: 27 May 2016 10:53:57