Vulnerability Name:

CVE-2002-1183 (CCN-9776)

Assigned:2002-08-05
Published:2002-08-05
Updated:2018-10-12
Summary:Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862).
CVSS v3 Severity:0.0 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
0.0 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: FreeBSD Security Notice FreeBSD-SN-02:05
security issues in ports

Source: CCN
Type: BugTraq Mailing List, Mon Aug 05 2002 - 18:03:29 CDT
IE SSL Vulnerability

Source: CCN
Type: BugTraq Mailing List, Sat Aug 10 2002 - 22:28:25 CDT
TinySSL Vendor Statement: Basic Constraints Vulnerability

Source: CCN
Type: BugTraq Mailing List, Mon Aug 19 2002 - 09:40:41 CDT
Insufficient Verification of Client Certificates in IIS 5.0 pre sp3

Source: CCN
Type: VulnWatch Mailing List, Wed Jan 22 2003 - 02:54:35 CST
IE chain vulnerability

Source: MITRE
Type: CNA
CVE-2002-0828

Source: MITRE
Type: CNA
CVE-2002-0862

Source: MITRE
Type: CNA
CVE-2002-0970

Source: MITRE
Type: CNA
CVE-2002-1183

Source: MITRE
Type: CNA
CVE-2002-1407

Source: MITRE
Type: CNA
CVE-2009-0653

Source: CCN
Type: Conectiva Linux Announcement CLSA-2002:519
kde

Source: CCN
Type: RHSA-2002-220
Updated KDE packages fix security issues

Source: CCN
Type: RHSA-2002-221
kdelibs security update

Source: CCN
Type: CIAC Information Bulletin M-121
Microsoft Certificate Validation Vulnerability

Source: CCN
Type: CIAC Information Bulletin N-020
Red Hat Multiple Vulnerabilities in KDE

Source: DEBIAN
Type: DSA-155
kdelibs -- privacy escalation with Konqueror

Source: CCN
Type: KDE Security Advisory 2002-08-18
Konqueror SSL vulnerability

Source: CCN
Type: Microsoft Security Bulletin MS02-050
Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)

Source: CCN
Type: Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)

Source: CCN
Type: Microsoft Corporation Web site
Information about Reported Web Security Vulnerability August 2002

Source: CCN
Type: OSVDB ID: 59725
TinySSL SSL Basic Constraints Intermediate CA-signed Certificate Validation Failure

Source: CCN
Type: OSVDB ID: 865
Multiple Vendor SSL Basic Constraints Intermediate CA-signed Certificate Validation Failure

Source: CCN
Type: BID-33837
Mozilla Firefox International Domain Name Subdomain URI Spoofing Vulnerability

Source: BID
Type: Exploit, Patch, Vendor Advisory
5410

Source: CCN
Type: BID-5410
Multiple Vendor Invalid X.509 Certificate Chain Vulnerability

Source: CCN
Type: TinySSL Web site
TinySSL -- A Lightweight SSL Implementation in Java

Source: MS
Type: UNKNOWN
MS02-050

Source: XF
Type: UNKNOWN
ssl-ca-certificate-spoofing(9776)

Source: XF
Type: UNKNOWN
ssl-ca-certificate-spoofing(9776)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1059

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1455

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:2108

Source: CCN
Type: Moxie Marlinspike Whitepaper
New Tricks For Defeating SSL In Practice

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_98:*:gold:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_98se:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_nt:4.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:ie:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*
  • OR cpe:/o:freebsd:ports_collection:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2001:*:*:*:*:*:*:*
  • OR cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:kde:kde:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:1059
    V
    		Microsoft Certificate Validation Flaw Identity Spoofing Vulnerability (Variant)
    2008-03-24
    oval:org.mitre.oval:def:1455
    V
    		Windows NT Certificate Validation Identity Spoofing Vulnerability (Test 1)
    2008-03-24
    oval:org.mitre.oval:def:2108
    V
    		Windows NT Certificate Validation Identity Spoofing Vulnerability (Test 2)
    2008-03-24
    BACK
    microsoft windows 98 * gold
    microsoft windows 98se *
    microsoft windows nt 4.0
    microsoft ie *
    microsoft windows nt 4.0
    freebsd ports collection *
    mandrakesoft mandrake linux 8.1
    redhat linux 7.2
    mandrakesoft mandrake linux 8.2
    microsoft office 2001
    conectiva linux 8.0
    redhat linux 7.3
    debian debian linux 3.0
    kde kde 3.0.2
    redhat linux 8.0
    redhat enterprise linux 2.1