Vulnerability CVE-2002-0862
Published: 2002-10-04   Modified: 2012-02-12

Description:
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

Type:

CWE-Other

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Microsoft -> Windows xp 
Microsoft -> Internet information services 
Microsoft -> IE 
Microsoft -> Ie for macintosh 
Microsoft -> Internet information server 
Microsoft -> Office 
Microsoft -> Outlook express 
Microsoft -> Windows 2000 
Microsoft -> Windows 2000 terminal services 
Microsoft -> Windows 98 
Microsoft -> Windows 98se 
Microsoft -> Windows me 
Microsoft -> Windows nt 
KDE -> Konqueror 
KDE -> KDE 
Baltimore technologies -> Mailsecure 
Adam megacz -> Tinyssl 

 References:
http://marc.info/?l=bugtraq&m=102866120821995&w=2
http://marc.info/?l=bugtraq&m=102918200405308&w=2
http://marc.info/?l=bugtraq&m=102976967730450&w=2
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-050
https://exchange.xforce.ibmcloud.com/vulnerabilities/9776
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1056
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1332
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2671
Copyright 2024, cxsecurity.com

 

Back to Top