CVE-2002-0862
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2016-10-17 22:22:46
NMC    

[原文]The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.


[CNNVD]Microsoft Internet Explore SSL证书认证中间人攻击漏洞(MS02-050)(CNNVD-200210-074)

        
        Internet Explorer是一款流行的WEB浏览程序,SSL是加密通信协议。
        Internet Explorer的SSL实现存在问题,远程攻击者可以利用这个漏洞进行中间人攻击。
        在通常情况下,WEB站点的管理员通过SSL进行通信加密,要实现加密通信,管理员需要生成证书并由CA证书授权中心签发,该WEB站点的URL会保存在证书的识别名小节中的CN(公用名)字段中。
        CA会验证管理员是否合法拥有的CN字段中的URL,签发证书并返回证书。假定管理员尝试对www.thoughtcrime.org进行加密,就有如下的证书签发过程:
        [CERT - Issuer: VeriSign / Subject: VeriSign]
        -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
        当WEB浏览器接收到这个证书时,必须验证CN字段是否与它刚连接的那个域名匹配,并且是否是由一个了已知的CA证书签名,这种情况下攻击者不可能使用合法的CN名和合法的签名来替代证书,所以不存在中间人攻击。
        但是有些情况下,为了方便会使用本地授权,因此这种情况下www.thoughtcrime.org会从本地授权中获得如下的证书链结构:
        [Issuer: VeriSign / Subject: VeriSign]
        -> [Issuer: VeriSign / Subject: Intermediate CA]
         -> [Issuer: Intermediate CA / Subject: www.thoughtcrime.org]
        当WEB浏览器接收到此信息时,它必须验证分支证书的CN字段是否与它刚连接的那个域名匹配,以及该证书是否是由中间CA所签发,并且中间CA签发的证书是否由已知CA证书签发。最后,WEB浏览器还应该检查所有中间证书是否有合法的CA Basic Constraints,也就是说这些分支证书是否有合法授权进行证书签发。
        但Internet Explorer存在设计漏洞,没有检查CA Basic Constraints信息,这样,具有任意域一个名合法CA签发证书的攻击者可以生成任意其他域名的合法CA证书。
        假设攻击者是www.thoughtcrime.org的合法管理者,他可以首先可以生成一合法证书并从VeriSign中请求签名:
        [CERT - Issuer: VeriSign / Subject: VeriSign]
        -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
        然后为任意域如(www.amazon.com)生成一证书,并使用自己的证书进行签名:
        [CERT - Issuer: VeriSign / Subject: VeriSign]
        -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
         -> [CERT - Issuer: www.thoughtcrime.org / Subject: www.amazon.com]
        由于IE不会检查www.thoughtcrime.org的Basic Constraints信息,IE就会按照这个证书链合法接收www.amazon.com域。
        任何人拥有任何CA签发的证书(和相应的私钥)可以欺骗任何用户。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp6a:alpha
cpe:/a:microsoft:ie_for_macintosh:5.0Microsoft Internet Explorer Macintosh 5.0
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/a:kde:konqueror:3.0.2
cpe:/a:kde:konqueror:3.0.1
cpe:/a:microsoft:outlook_express:5.0Microsoft outlook_express 5.0
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:microsoft:windows_nt:4.0:sp6Microsoft Windows 4.0 sp6
cpe:/o:kde:kde:2.2.2
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_nt:4.0:sp5Microsoft Windows 4.0 sp5
cpe:/o:microsoft:windows_nt:4.0:sp6a:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6a
cpe:/a:kde:konqueror:2.2.2
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp6aMicrosoft Windows 4.0 sp6a
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/a:microsoft:outlook_express:5.0::macos
cpe:/a:microsoft:office:98::mac
cpe:/a:microsoft:office:v.x
cpe:/a:microsoft:ie_for_macintosh:5.1Microsoft Internet Explorer Macintosh 5.1
cpe:/o:baltimore_technologies:mailsecure
cpe:/o:microsoft:windows_nt:4.0:sp4Microsoft Windows 4.0 sp4
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp3Microsoft Windows 4.0 sp3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0:sp6:alpha
cpe:/o:microsoft:windows_nt:4.0:sp5:alpha
cpe:/o:microsoft:windows_nt:4.0:sp2:alpha
cpe:/a:microsoft:outlook_express:4.5::macos
cpe:/o:microsoft:windows_nt:4.0:sp4:alpha
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000_terminal_services::sp2
cpe:/o:microsoft:windows_nt:4.0:sp1:alpha
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp3:alpha
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/a:microsoft:office:2001:sr1:mac_osMicrosoft office_macos 2001 sr1
cpe:/a:microsoft:internet_information_server:5.0
cpe:/a:microsoft:ie:5.5:sp2Microsoft Internet Explorer 5.5 SP2
cpe:/a:microsoft:ie:5.5:sp1Microsoft Internet Explorer 5.5 SP1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:kde:kde:3.0
cpe:/a:microsoft:ie:5.0.1:sp2Microsoft Internet Explorer 5.0.1 SP2
cpe:/a:microsoft:ie:5.0.1:sp1Microsoft Internet Explorer 5.0.1 SP1
cpe:/o:microsoft:windows_xp::goldMicrosoft windows xp_gold
cpe:/o:microsoft:windows_2000_terminal_services::sp3
cpe:/o:microsoft:windows_2000_terminal_services::sp1
cpe:/o:kde:kde:3.0.2
cpe:/o:kde:kde:3.0.1
cpe:/o:microsoft:windows_2000_terminal_services
cpe:/a:microsoft:ie_for_macintosh:5.1.1Microsoft Internet Explorer Macintosh 5.1.1
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/a:microsoft:office:2001::macintosh
cpe:/a:microsoft:outlook_express:5.0.1::macos
cpe:/a:kde:konqueror:3.0
cpe:/a:microsoft:outlook_express:5.0.2::macos
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:kde:kde:2.2.1
cpe:/a:microsoft:outlook_express:5.0.3::macos
cpe:/o:microsoft:windows_nt:4.0::alpha
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:5.0Microsoft Internet Explorer 5.0
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/a:microsoft:ie:5.0.1Microsoft Internet Explorer 5.0.1
cpe:/a:adam_megacz:tinyssl:1.0.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2671Windows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 2)
oval:org.mitre.oval:def:1332Windows 2000 Certificate Validation Identity Spoofing Vulnerability (Test 1)
oval:org.mitre.oval:def:1056Microsoft Certificate Validation Flaw Identity Spoofing Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0862
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0862
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-074
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102866120821995&w=2
(UNKNOWN)  BUGTRAQ  20020805 IE SSL Vulnerability
http://marc.info/?l=bugtraq&m=102918200405308&w=2
(UNKNOWN)  BUGTRAQ  20020812 IE SSL Exploit
http://marc.info/?l=bugtraq&m=102976967730450&w=2
(UNKNOWN)  BUGTRAQ  20020819 Insufficient Verification of Client Certificates in IIS 5.0 pre sp3
http://www.microsoft.com/technet/security/bulletin/ms02-050.asp
(VENDOR_ADVISORY)  MS  MS02-050
http://xforce.iss.net/xforce/xfdb/9776
(UNKNOWN)  XF  ssl-ca-certificate-spoofing(9776)

- 漏洞信息

Microsoft Internet Explore SSL证书认证中间人攻击漏洞(MS02-050)
高危 未知
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Internet Explorer是一款流行的WEB浏览程序,SSL是加密通信协议。
        Internet Explorer的SSL实现存在问题,远程攻击者可以利用这个漏洞进行中间人攻击。
        在通常情况下,WEB站点的管理员通过SSL进行通信加密,要实现加密通信,管理员需要生成证书并由CA证书授权中心签发,该WEB站点的URL会保存在证书的识别名小节中的CN(公用名)字段中。
        CA会验证管理员是否合法拥有的CN字段中的URL,签发证书并返回证书。假定管理员尝试对www.thoughtcrime.org进行加密,就有如下的证书签发过程:
        [CERT - Issuer: VeriSign / Subject: VeriSign]
        -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
        当WEB浏览器接收到这个证书时,必须验证CN字段是否与它刚连接的那个域名匹配,并且是否是由一个了已知的CA证书签名,这种情况下攻击者不可能使用合法的CN名和合法的签名来替代证书,所以不存在中间人攻击。
        但是有些情况下,为了方便会使用本地授权,因此这种情况下www.thoughtcrime.org会从本地授权中获得如下的证书链结构:
        [Issuer: VeriSign / Subject: VeriSign]
        -> [Issuer: VeriSign / Subject: Intermediate CA]
         -> [Issuer: Intermediate CA / Subject: www.thoughtcrime.org]
        当WEB浏览器接收到此信息时,它必须验证分支证书的CN字段是否与它刚连接的那个域名匹配,以及该证书是否是由中间CA所签发,并且中间CA签发的证书是否由已知CA证书签发。最后,WEB浏览器还应该检查所有中间证书是否有合法的CA Basic Constraints,也就是说这些分支证书是否有合法授权进行证书签发。
        但Internet Explorer存在设计漏洞,没有检查CA Basic Constraints信息,这样,具有任意域一个名合法CA签发证书的攻击者可以生成任意其他域名的合法CA证书。
        假设攻击者是www.thoughtcrime.org的合法管理者,他可以首先可以生成一合法证书并从VeriSign中请求签名:
        [CERT - Issuer: VeriSign / Subject: VeriSign]
        -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
        然后为任意域如(www.amazon.com)生成一证书,并使用自己的证书进行签名:
        [CERT - Issuer: VeriSign / Subject: VeriSign]
        -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
         -> [CERT - Issuer: www.thoughtcrime.org / Subject: www.amazon.com]
        由于IE不会检查www.thoughtcrime.org的Basic Constraints信息,IE就会按照这个证书链合法接收www.amazon.com域。
        任何人拥有任何CA签发的证书(和相应的私钥)可以欺骗任何用户。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 对于敏感的应用,在进行SSL连接时手工检查证书链,如果发现有中间证书可以认为正在遭受中间人攻击。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS02-050)以及相应补丁:
        MS02-050: Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS02-050.asp

        补丁下载:
        Microsoft Windows 98:
        
        http://www.microsoft.com/windows98/downloads/contents/WUCritical/q328145/default.asp

        Windows 98 Second Edition:
        
        http://www.microsoft.com/windows98/downloads/contents/WUCritical/q328145/default.asp

        Windows Me:
        
        http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328145

        Windows NT 4.0:
        
        http://www.microsoft.com/ntserver/nts/downloads/critical/q328145/default.asp

        Windows NT 4.0 Terminal Server Edition:
        
        http://www.microsoft.com/ntserver/terminalserver/downloads/critical/q328145/default.asp

        Windows 2000:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=42431

        Windows XP and Windows XP 64 Bit Edition:
        
        http://www.microsoft.com/windowsxp/pro/downloads/q328145.asp

        Microsoft Office v.X for Mac:
        
        http://www.microsoft.com/mac/download/security.asp

        Microsoft Office 2001 for Mac:
        
        http://www.microsoft.com/mac/download/security.asp

        Microsoft Office 98 for the Macintosh:
        
        http://www.microsoft.com/mac/download/security.asp

        Microsoft Internet Explorer for Mac (for OS 8.1 to 9.x):
        
        http://www.microsoft.com/mac/download/security.asp

        Microsoft Internet Explorer for Mac (for OS X):
        
        http://www.microsoft.com/mac/download/security.asp

        Microsoft Outlook Express 5.0.6 for Mac:
        
        http://www.microsoft.com/mac/download/security.asp
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站