Vulnerability Name:

CVE-2011-1094 (CCN-65986)

Assigned:2011-01-31
Published:2011-01-31
Updated:2017-08-17
Summary:kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: oss-security: Tomas Hoger | 8 Mar 15:36
KDE SSL name check issue

Source: MITRE
Type: CNA
CVE-2011-1094

Source: CCN
Type: KDE Web site
K Desktop Environment -Conquer your Desktop!

Source: MLIST
Type: Patch
[oss-security] 20110308 KDE SSL name check issue

Source: MLIST
Type: Patch
[oss-security] 20110308 Re: KDE SSL name check issue

Source: CCN
Type: RHSA-2011-0464
Moderate: kdelibs security update

Source: SECUNIA
Type: UNKNOWN
44108

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2011:071

Source: BID
Type: UNKNOWN
46789

Source: CCN
Type: BID-46789
KDE kdelibs IP Address SSL Certificate Security Bypass Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-1110-1

Source: VUPEN
Type: UNKNOWN
ADV-2011-0913

Source: VUPEN
Type: UNKNOWN
ADV-2011-0990

Source: XF
Type: UNKNOWN
kdelibs-ssl-security-bypass(65986)

Source: XF
Type: UNKNOWN
kdelibs-ssl-security-bypass(65986)

Source: CONFIRM
Type: Patch
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7

Source: SUSE
Type: SUSE-SR:2011:006
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:kdelibs:3.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:3.5.9:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:3.5.10:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:kdelibs:*:*:*:*:*:*:*:* (Version <= 4.6)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20111094
    V
    		CVE-2011-1094
    2022-05-20
    oval:org.mitre.oval:def:13867
    P
    		USN-1110-1 -- kde4libs vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:23600
    P
    		ELSA-2011:0464: kdelibs security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:21872
    P
    		RHSA-2011:0464: kdelibs security update (Moderate)
    2014-02-24
    oval:com.redhat.rhsa:def:20110464
    P
    		RHSA-2011:0464: kdelibs security update (Moderate)
    2011-04-21
    BACK
    redhat kdelibs 3.5.2
    redhat kdelibs 3.5.9
    redhat kdelibs 3.5.10
    redhat kdelibs *