Описание
The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.
The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2011-0228
- https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
- http://lists.apple.com/archives/security-announce/2011//Jul/msg00004.html
- http://lists.apple.com/archives/security-announce/2011//Jul/msg00005.html
- http://secunia.com/advisories/45369
- http://securityreason.com/securityalert/8361
- http://securitytracker.com/id?1025837
- http://support.apple.com/kb/HT4824
- http://support.apple.com/kb/HT4825
- http://www.securityfocus.com/archive/1/518982/100/0/threaded
- http://www.securityfocus.com/bid/48877
Связанные уязвимости
The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.