The POCO C++ Libraries NetSSL library fails to properly validate wildcard certificates, allowing an attacker to trick the victim application into trusting a malicious certificate.
CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action
Guenter Obiltschnig of Applied Informatics GmbH reports:
After a successful DNS spoofing attack, the attacker may be able to trick a SSL/TLS client into successfully validating a certificate from a malicious server. However, this requires that the certificate first passes the certificate chain validation.
Apply an Update
Applied Informatics GmbH
Thanks to Tuomas Siren and Alexander Berezhnoy for originally discovering the vulnerability.
This document was written by Todd Lewellen.
|Date First Published:||2014-04-24|
|Date Last Updated:||2014-04-24 15:00 UTC|