certfr_avis - CERTA-2012-AVI-048

CERTA-2012-AVI-048

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité présente dans Software Properties peut être utilisée par un attaquant afin d'installer des clés PPA GPG arbitraires.

Description

Une vulnérabilité existe dans le processus de validation du certificat serveur de Software Properties. Elle permet à un utilisateur distant malintentionné d'effectuer une attaque de type homme du milieu (man-in-the-middle) provoquant alors l'installation de clés GPG arbitraires.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu 10.10 ;
Ubuntu	Ubuntu	Ubuntu 11.10 ;
Ubuntu	Ubuntu	Ubuntu 11.04 ;
Ubuntu	Ubuntu	Ubuntu 10.04 LTS.

References

Title

Publication Time

Tags

Bulletin de sécurité Ubuntu USN-1352-1 du 31 janvier 2012	None	vendor-advisory
Bulletin de sécurité Ubuntu USN-1352-1 du 30 janvier 2012 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Ubuntu 10.10 ;",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu 11.10 ;",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu 11.04 ;",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    },
    {
      "description": "Ubuntu 10.04 LTS.",
      "product": {
        "name": "Ubuntu",
        "vendor": {
          "name": "Ubuntu",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 existe dans le processus de validation du certificat\nserveur de Software Properties. Elle permet \u00e0 un utilisateur distant\nmalintentionn\u00e9 d\u0027effectuer une attaque de type homme du milieu\n(man-in-the-middle) provoquant alors l\u0027installation de cl\u00e9s GPG\narbitraires.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-4407",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-4407"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-1352-1 du 30 janvier 2012 :",
      "url": "http://www.ubuntu.com/usn/usn-1352-1/"
    }
  ],
  "reference": "CERTA-2012-AVI-048",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2012-02-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 pr\u00e9sente dans \u003cspan class=\"textit\"\u003eSoftware\nProperties\u003c/span\u003e peut \u00eatre utilis\u00e9e par un attaquant afin d\u0027installer\ndes cl\u00e9s PPA GPG arbitraires.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Ubuntu Software Properties",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-1352-1 du 31 janvier 2012",
      "url": null
    }
  ]
}

CVE-2011-4407 (GCVE-0-2011-4407)

Vulnerability from cvelistv5 – Published: 2014-05-14 00:00 – Updated: 2024-08-07 00:09

Summary

ppa.py in Software Properties before 0.81.13.3 does not validate the server certificate when downloading PPA GPG key fingerprints, which allows man-in-the-middle (MITM) attackers to spoof GPG keys for a package repository.

Severity ?

No CVSS data available.

CWE

Assigner

canonical

References

URL

Tags

	http://www.ubuntu.com/usn/USN-1352-1	vendor-advisoryx_refsource_UBUNTU
	https://bugs.launchpad.net/ubuntu/%2Bsource/softw…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:09:18.408Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-1352-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1352-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/ubuntu/%2Bsource/software-properties/%2Bbug/915210"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2012-01-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "ppa.py in Software Properties before 0.81.13.3 does not validate the server certificate when downloading PPA GPG key fingerprints, which allows man-in-the-middle (MITM) attackers to spoof GPG keys for a package repository."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-05-13T23:57:00",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "name": "USN-1352-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-1352-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugs.launchpad.net/ubuntu/%2Bsource/software-properties/%2Bbug/915210"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@ubuntu.com",
          "ID": "CVE-2011-4407",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ppa.py in Software Properties before 0.81.13.3 does not validate the server certificate when downloading PPA GPG key fingerprints, which allows man-in-the-middle (MITM) attackers to spoof GPG keys for a package repository."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-1352-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-1352-1"
            },
            {
              "name": "https://bugs.launchpad.net/ubuntu/%2Bsource/software-properties/%2Bbug/915210",
              "refsource": "CONFIRM",
              "url": "https://bugs.launchpad.net/ubuntu/%2Bsource/software-properties/%2Bbug/915210"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2011-4407",
    "datePublished": "2014-05-14T00:00:00",
    "dateReserved": "2011-11-07T00:00:00",
    "dateUpdated": "2024-08-07T00:09:18.408Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTA-2012-AVI-048

Description

Solution

CVE-2011-4407 (GCVE-0-2011-4407)

Tags

Sightings

Nomenclature