Vulnerability Description
The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lenovo | Thinkvantage System Update | <= 3.13.0005 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/30379PatchVendor Advisory
- http://securitytracker.com/id?1020112
- http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt
- http://www.securityfocus.com/archive/1/492579
- http://www.securityfocus.com/bid/29366
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42638
- http://secunia.com/advisories/30379PatchVendor Advisory
- http://securitytracker.com/id?1020112
- http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt
- http://www.securityfocus.com/archive/1/492579
- http://www.securityfocus.com/bid/29366
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42638
FAQ
What is CVE-2008-3249?
CVE-2008-3249 is a vulnerability with a CVSS score of 5.1 (MEDIUM). The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL ce...
How severe is CVE-2008-3249?
CVE-2008-3249 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-3249?
Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Thinkvantage System Update.