Vulnerability Description
The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Iphone Os | <= 4.2.9 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2011//Jul/msg00004.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2011//Jul/msg00005.htmlVendor Advisory
- http://secunia.com/advisories/45369Vendor Advisory
- http://securityreason.com/securityalert/8361
- http://securitytracker.com/id?1025837
- http://support.apple.com/kb/HT4824
- http://support.apple.com/kb/HT4825Vendor Advisory
- http://www.securityfocus.com/archive/1/518982/100/0/threaded
- http://www.securityfocus.com/bid/48877
- https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
- http://lists.apple.com/archives/security-announce/2011//Jul/msg00004.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2011//Jul/msg00005.htmlVendor Advisory
- http://secunia.com/advisories/45369Vendor Advisory
- http://securityreason.com/securityalert/8361
- http://securitytracker.com/id?1025837
FAQ
What is CVE-2011-0228?
CVE-2011-0228 is a vulnerability with a CVSS score of 7.5 (HIGH). The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middl...
How severe is CVE-2011-0228?
CVE-2011-0228 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-0228?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Iphone Os.