Vulnerability Name: CVE-2002-0862 (CCN-9776) Assigned: 2002-08-05 Published: 2002-08-05 Updated: 2021-07-23 Summary: The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS. CVSS v3 Severity: 0.0 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
0.0 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:N Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Bypass Security References: Source: CCNsecurity issues in ports IE SSL Vulnerability TinySSL Vendor Statement: Basic Constraints Vulnerability Insufficient Verification of Client Certificates in IIS 5.0 pre sp3 IE chain vulnerability CVE-2002-0828 CVE-2002-0862 CVE-2002-0970 CVE-2002-1183 CVE-2002-1407 CVE-2009-0653 kde 20020805 IE SSL Vulnerability 20020812 IE SSL Exploit 20020819 Insufficient Verification of Client Certificates in IIS 5.0 pre sp3 Updated KDE packages fix security issues kdelibs security update Microsoft Certificate Validation Vulnerability Red Hat Multiple Vulnerabilities in KDE kdelibs -- privacy escalation with Konqueror Konqueror SSL vulnerability Certificate Validation Flaw Could Enable Identity Spoofing (Q328145) Security Update for Microsoft Windows (835732) Information about Reported Web Security Vulnerability August 2002 TinySSL SSL Basic Constraints Intermediate CA-signed Certificate Validation Failure Multiple Vendor SSL Basic Constraints Intermediate CA-signed Certificate Validation Failure Mozilla Firefox International Domain Name Subdomain URI Spoofing Vulnerability Multiple Vendor Invalid X.509 Certificate Chain Vulnerability TinySSL -- A Lightweight SSL Implementation in Java MS02-050 ssl-ca-certificate-spoofing(9776) ssl-ca-certificate-spoofing(9776) oval:org.mitre.oval:def:1056 oval:org.mitre.oval:def:1332 oval:org.mitre.oval:def:2671 New Tricks For Defeating SSL In Practice Vulnerable Configuration: Configuration 1 :cpe:/a:kde:konqueror:2.2.2:*:*:*:*:*:*:* OR cpe:/a:kde:konqueror:3.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.5:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.5:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.0.1:*:*:*:*:*:*:* OR cpe:/a:microsoft:ie_for_macintosh:5.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:ie_for_macintosh:5.1:*:*:*:*:*:*:* OR cpe:/a:microsoft:outlook_express:4.5:*:macos:*:*:*:*:* OR cpe:/a:microsoft:outlook_express:5.0:*:*:*:*:*:*:* OR cpe:/a:microsoft:outlook_express:5.0.1:*:macos:*:*:*:*:* OR cpe:/a:microsoft:outlook_express:5.0:*:macos:*:*:*:*:* OR cpe:/a:kde:konqueror:3.0.2:*:*:*:*:*:*:* OR cpe:/a:microsoft:office:2001:sr1:mac_os:*:*:*:*:* OR cpe:/a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:* OR cpe:/a:kde:konqueror:3.0.1:*:*:*:*:*:*:* OR cpe:/a:adam_megacz:tinyssl:1.0.2:*:*:*:*:*:*:* OR cpe:/a:microsoft:outlook_express:5.0.2:*:macos:*:*:*:*:* OR cpe:/a:microsoft:office:2001:*:macintosh:*:*:*:*:* OR cpe:/a:microsoft:office:98:*:mac:*:*:*:*:* OR cpe:/a:microsoft:ie_for_macintosh:5.1.1:*:*:*:*:*:*:* OR cpe:/a:microsoft:office:v.x:*:*:*:*:*:*:* OR cpe:/a:microsoft:outlook_express:5.0.3:*:macos:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.5:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.0.1:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:5.0.1:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:* Configuration 2 :cpe:/o:kde:kde:2.2.2:*:*:*:*:*:*:* OR cpe:/o:kde:kde:3.0:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000:*:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_98se:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_me:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp2:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp5:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp6a:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:* OR cpe:/o:kde:kde:2.2.1:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp4:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:* OR cpe:/o:baltimore_technologies:mailsecure:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_nt:4.0:sp6:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp6a:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp1:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_2000:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp3:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_2000_terminal_services:*:sp3:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_98:*:gold:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000:*:sp3:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:*:*:*:*:*:*:* OR cpe:/o:kde:kde:3.0.2:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:*:alpha:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:gold:professional:*:*:*:*:* OR cpe:/o:kde:kde:3.0.1:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:*:home:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:terminal_server:*:x86:* OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_xp:*:gold:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:microsoft:ie:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:* OR cpe:/o:freebsd:ports_collection:*:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:* OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:* OR cpe:/a:microsoft:office:2001:*:*:*:*:*:*:* OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:* OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:* OR cpe:/o:kde:kde:3.0.2:*:*:*:*:*:*:* OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:* Oval Definitions BACK
kde konqueror 2.2.2
kde konqueror 3.0
microsoft internet explorer 5.5
microsoft internet explorer 5.5 sp1
microsoft internet explorer 5.0
microsoft internet explorer 5.0.1
microsoft ie for macintosh 5.0
microsoft ie for macintosh 5.1
microsoft outlook express 4.5
microsoft outlook express 5.0
microsoft outlook express 5.0.1
microsoft outlook express 5.0
kde konqueror 3.0.2
microsoft office 2001 sr1
microsoft internet information services 5.0
kde konqueror 3.0.1
adam_megacz tinyssl 1.0.2
microsoft outlook express 5.0.2
microsoft office 2001
microsoft office 98
microsoft ie for macintosh 5.1.1
microsoft office v.x
microsoft outlook express 5.0.3
microsoft internet explorer 5.5 sp2
microsoft internet explorer 5.0.1 sp2
microsoft internet explorer 5.0.1 sp1
microsoft internet explorer 6.0
kde kde 2.2.2
kde kde 3.0
microsoft windows 2000 * sp1
microsoft windows 98se *
microsoft windows me *
microsoft windows nt 4.0 sp2
microsoft windows nt 4.0 sp2
microsoft windows nt 4.0 sp5
microsoft windows nt 4.0 sp5
microsoft windows nt 4.0 sp6a
microsoft windows xp *
kde kde 2.2.1
microsoft windows nt 4.0 sp4
microsoft windows 2000 terminal services * sp1
baltimore_technologies mailsecure *
microsoft windows 2000 *
microsoft windows nt 4.0 sp6
microsoft windows nt 4.0 sp6
microsoft windows nt 4.0 sp6a
microsoft windows nt 4.0 sp1
microsoft windows 2000 * sp2
microsoft windows nt 4.0 sp1
microsoft windows nt 4.0 sp4
microsoft windows nt 4.0 sp3
microsoft windows nt 4.0 sp4
microsoft windows 2000 terminal services * sp3
microsoft windows nt 4.0 sp6a
microsoft windows nt 4.0
microsoft windows nt 4.0 sp1
microsoft windows nt 4.0 sp3
microsoft windows 98 * gold
microsoft windows 2000 terminal services * sp2
microsoft windows 2000 * sp3
microsoft windows nt 4.0
kde kde 3.0.2
microsoft windows nt 4.0
microsoft windows xp * gold
kde kde 3.0.1
microsoft windows nt 4.0 sp6
microsoft windows xp *
microsoft windows nt 4.0 sp2
microsoft windows nt 4.0 sp5
microsoft windows nt 4.0 sp3
microsoft windows 2000 terminal services *
microsoft windows xp * gold
microsoft ie *
microsoft windows nt 4.0
freebsd ports collection *
mandrakesoft mandrake linux 8.1
redhat linux 7.2
mandrakesoft mandrake linux 8.2
microsoft office 2001
conectiva linux 8.0
redhat linux 7.3
debian debian linux 3.0
kde kde 3.0.2
redhat linux 8.0
redhat enterprise linux 2.1
Denotes that component is vulnerable