Vulnerability CVE-2008-3249
Published: 2008-07-21   Modified: 2012-02-12

Description:
The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.

Type:

CWE-255

 (Credentials Management)

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Lenovo -> Thinkvantage system update 

 References:
http://secunia.com/advisories/30379
http://xforce.iss.net/xforce/xfdb/42638
http://www.securityfocus.com/bid/29366
http://www.securityfocus.com/archive/1/492579
http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt
http://securitytracker.com/id?1020112
Copyright 2024, cxsecurity.com

 

Back to Top