Bug 445227 - (CVE-2008-1676) CVE-2008-1676 Certificate System: incorrect handling of Extensions in CSRs (cs71)
CVE-2008-1676 Certificate System: incorrect handling of Extensions in CSRs (c...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 440356 442963 445230 445231 445232
  Show dependency treegraph
Reported: 2008-05-05 11:54 EDT by Tomas Hoger
Modified: 2012-07-16 18:57 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-01-26 19:33:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-05-05 11:54:37 EDT
A flaw was found in a way Red Hat Certificate System handled Extensions in the
certificate signing requests (CSR).  All requested Extensions were added to
issued certificate despite constraints defined in Certificate Authority (CA)

For example, CSR could contain Basic Constraints or Key Usage constraint that
once copied to issued certificate would result in creation of subordinate CA
certificate, even though CA configuration prohibits issuing of subordinate CA
certificate, possibly leading to a bypass the intended security policy.

Affected versions:
Red Hat Certificate System 7.1, 7.2, 7.3
Netscape Certificate Management System 6.x
Comment 2 Mark J. Cox (Product Security) 2008-05-22 06:51:46 EDT
It's hard to code this correctly in CVSS v2.  I think we are best to compare it
to flaws where a client not verifying the basic constraints for a signed
certificate, like CVE-2002-0970 or CVE-2002-0862.  The same NVD CVSSv2 score is
also used for cases such as when a revoked certificate is accepted by a service.
 So I believe this should be

        CVSS v2 Base score: 7.5  (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
        and therefore impact=important
Comment 3 Tomas Hoger 2008-07-02 13:48:21 EDT
Lifting embargo.
Comment 5 Matthew Harmsen 2010-01-26 19:33:59 EST
Setting bug to CLOSED per conversation with QE.

Note You need to log in before you can comment on or make changes to this bug.