Vulnerability Note VU#389795
Windows Phone 7 does not check certificate Common Names when sending or receiving emails over SSL.
Overview
Windows Phone 7 does not check CN (Common Name) of server certificates when receiving or sending e-mails using POP3/IMAP/SMTP servers using SSL.
Description
Windows Phone 7 fails to check the CN (Common Name) of server certificates when receiving or sending e-mails using POP3/IMAP/SMTP servers using SSL allowing an attacker to perform a man-in-the-middle attack between the phone and the mail server. |
Impact
A remote attacker with the ability to pose as a man-in-the-middle may be able to view the login or session data in the corresponding protocol (e.g., SMTP, POP3, etc.). |
Solution
Microsoft has acknowledged this vulnerability and stated that they will be releasing an update. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | 19 Jun 2012 | 10 Sep 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 5.4 | AV:N/AC:H/Au:N/C:C/I:N/A:N |
| Temporal | 4.4 | E:POC/RL:U/RC:UC |
| Environmental | 4.6 | CDP:LM/TD:M/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to the reporter that wishes to remain anonymous.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2012-2993
- Date Public: 17 Sep 2012
- Date First Published: 17 Sep 2012
- Date Last Updated: 17 Sep 2012
- Document Revision: 11
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.