search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Install Norton Security for Mac does not verify SSL certificates

Vulnerability Note VU#681983

Original Release Date: 2017-11-21 | Last Revised: 2017-11-21

Overview

Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates.

Description

CWE-295: Improper Certificate Validation - CVE-2017-15528

The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by HTTPS connections, which can allow an attacker to obtain a Man-in-the-Middle position.

Impact

An attacker with a Man-in-the-Middle position can spoof content retrieved using HTTPS.

Solution

Use Updated Installer

Symantec has released an updated installer, version 7.6, to address the vulnerability. Please see more information at Symantec's advisory.

Vendor Information

681983
 
Affected   Unknown   Unaffected

Symantec

Notified:  October 09, 2017 Updated:  October 09, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References


    CVSS Metrics

    Group Score Vector
    Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
    Temporal 5.1 E:ND/RL:ND/RC:ND
    Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

    References

    Acknowledgements

    Thanks to David for reporting this vulnerability.

    This document was written by Trent Novelly.

    Other Information

    CVE IDs: CVE-2017-15528
    Date Public: 2017-11-21
    Date First Published: 2017-11-21
    Date Last Updated: 2017-11-21 21:21 UTC
    Document Revision: 9

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.