Bug 445227 (CVE-2008-1676) - CVE-2008-1676 Certificate System: incorrect handling of Extensions in CSRs (cs71)
Summary: CVE-2008-1676 Certificate System: incorrect handling of Extensions in CSRs (c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1676
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 440356 442963 445230 445231 445232
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-05 15:54 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-27 00:33:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0500 0 normal SHIPPED_LIVE Important: rhpki-common security update 2008-07-02 17:49:43 UTC
Red Hat Product Errata RHSA-2008:0577 0 normal SHIPPED_LIVE Important: rhpki-common security update 2008-07-02 17:54:05 UTC

Description Tomas Hoger 2008-05-05 15:54:37 UTC 
A flaw was found in a way Red Hat Certificate System handled Extensions in the
certificate signing requests (CSR).  All requested Extensions were added to
issued certificate despite constraints defined in Certificate Authority (CA)
profile.

For example, CSR could contain Basic Constraints or Key Usage constraint that
once copied to issued certificate would result in creation of subordinate CA
certificate, even though CA configuration prohibits issuing of subordinate CA
certificate, possibly leading to a bypass the intended security policy.

Affected versions:
Red Hat Certificate System 7.1, 7.2, 7.3
Netscape Certificate Management System 6.x
Comment 2 Mark J. Cox 2008-05-22 10:51:46 UTC 
It's hard to code this correctly in CVSS v2.  I think we are best to compare it
to flaws where a client not verifying the basic constraints for a signed
certificate, like CVE-2002-0970 or CVE-2002-0862.  The same NVD CVSSv2 score is
also used for cases such as when a revoked certificate is accepted by a service.
 So I believe this should be

        CVSS v2 Base score: 7.5  (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
        and therefore impact=important
Comment 3 Tomas Hoger 2008-07-02 17:48:21 UTC 
Lifting embargo.
Comment 5 Matthew Harmsen 2010-01-27 00:33:59 UTC 
Setting bug to CLOSED per conversation with QE.
Note You need to log in before you can comment on or make changes to this bug.