SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Microsoft Windows Includes Several Invalid Certificates
SecurityTracker Alert ID:  1030548
SecurityTracker URL:  http://securitytracker.com/id/1030548
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jul 17 2014
Original Entry Date:  Jul 11 2014
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 8.1, 2012, 2012 R2; and prior service packs
Description:   A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof SSL certificates.

The operating system includes invalid subordinate certificates issued by National Informatics Centre (NIC), which operates subordinate certificate authorities (CAs) under root CAs operated by the Government of India Controller of Certifying Authorities (CCA).

The invalid certificates and thumbprints are:

NIC Certifying Authority: 48 22 82 4e ce 7e d1 45 0c 03 9a a0 77 dc 1f 8a e3 48 9b bf

NIC CA 2011: c6 79 64 90 cd ee aa b3 1a ed 79 87 52 ec d0 03 e6 86 6c b2

NIC CA 2014: d2 db f7 18 23 b2 b8 e7 8f 59 58 09 61 50 bf cb 97 cc 38 8a

Unauthorized digital certificates derived from these certificate authorities are being actively used in attacks against various Google and Yahoo domains.

The vulnerability is due to the certificate authority and not the operating system itself.

Adam Langley and the Google Chrome Security Team reported this vulnerability.

Impact:   A remote user may be able to spoof SSL certificates.
Solution:   The vendor has issued a fix, available via automatic update for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Phone 8, and Windows Phone 8.1.

The vendor has issued a fix for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that use the automatic updater of revoked certificates (see KB2677070).

The vendor has issued a fix for Windows Server 2003 (KB2982792).

The vendor's advisory is available at:

https://technet.microsoft.com/en-us/library/security/2982792

Vendor URL:  technet.microsoft.com/en-us/library/security/2982792 (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC