CVE-2008-3249 - The client in Lenovo System Update before 3.14 does not properly validate the certificate when estab

CVE-2008-3249

Summary

The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.

References

Vulnerable Configurations

cpe:2.3:a:lenovo:thinkvantage_system_update:3.13:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:thinkvantage_system_update:3.13:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:thinkvantage_system_update:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:thinkvantage_system_update:*:*:*:*:*:*:*:*

CVSS

Base:	5.1 (as of 08-08-2017 - 01:31)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:P/A:P

refmap via4

bid	29366
bugtraq	20080525 SECOBJADV-2008-01: Lenovo SystemUpdate SSL Certificate Issuer Spoofing Vulnerability
misc	http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt
sectrack	1020112
secunia	30379
xf	ibm-thinkvantage-ssl-spoofing(42638)

Last major update

08-08-2017 - 01:31

Published

21-07-2008 - 17:41

Last modified

08-08-2017 - 01:31