Executive Summary

Summary
Title Install Norton Security for Mac does not verify SSL certificates
Informations
Name VU#681983 First vendor Publication 2017-11-21
Vendor VU-CERT Last vendor Modification 2017-11-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#681983

Install Norton Security for Mac does not verify SSL certificates

Original Release date: 21 Nov 2017 | Last revised: 21 Nov 2017

Overview

Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates.

Description

CWE-295: Improper Certificate Validation - CVE-2017-15528

The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by HTTPS connections, which can allow an attacker to obtain a Man-in-the-Middle position.

Impact

An attacker with a Man-in-the-Middle position can spoof content retrieved using HTTPS.

Solution

Use Updated Installer

Symantec has released an updated installer, version 7.6, to address the vulnerability. Please see more information at Symantec's advisory.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SymantecUnknown09 Oct 201709 Oct 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.1AV:N/AC:H/Au:N/C:P/I:P/A:P
Temporal5.1E:ND/RL:ND/RC:ND
Environmental1.3CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171121_00
  • https://us.norton.com/downloads

Credit

Thanks to David for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs:CVE-2017-15528
  • Date Public:21 Nov 2017
  • Date First Published:21 Nov 2017
  • Date Last Updated:21 Nov 2017
  • Document Revision:9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/681983

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2017-11-22 00:20:17
  • First insertion