Executive Summary
Summary | |
---|---|
Title | Research proves feasibility of collision attacks against MD5 |
Informations | |||
---|---|---|---|
Name | KB961509 | First vendor Publication | 2008-12-30 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated. This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm. While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary. Mitigating Factors:
General InformationOverviewPurpose of Advisory: To assist customers in assessing the impact of this research announcement on their current certificate deployments. Advisory Status: Issue Confirmed. No Security Update Planned. Recommendation: Review the suggested actions and configure as appropriate.
This advisory discusses the following software.
Frequently Asked QuestionsWhat is the scope of the advisory? Is this a security vulnerability that requires Microsoft to issue a security update? What causes this threat? What might an attacker use this function to do? Suggested Actions
|
Original Source
Url : http://www.microsoft.com/technet/security/advisory/961509.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2009-03-20 | Name : Ubuntu USN-735-1 (gst-plugins-base0.10) File : nvt/ubuntu_735_1.nasl |
2009-03-20 | Name : Ubuntu USN-736-1 (gst-plugins-good0.10) File : nvt/ubuntu_736_1.nasl |
2009-03-20 | Name : Ubuntu USN-737-1 (libsoup) File : nvt/ubuntu_737_1.nasl |
2009-03-20 | Name : Ubuntu USN-739-1 (amarok) File : nvt/ubuntu_739_1.nasl |
2009-03-20 | Name : Ubuntu USN-740-1 (firefox) File : nvt/ubuntu_740_1.nasl |
2009-02-10 | Name : Fedora Core 9 FEDORA-2009-1276 (nss) File : nvt/fcore_2009_1276.nasl |
2009-02-10 | Name : Fedora Core 10 FEDORA-2009-1291 (nss) File : nvt/fcore_2009_1291.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
45127 | MD5 Algorithm Hash Function Collision Weakness |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-12-08 | Name : A known CA SSL certificate in the certificate chain has been signed using a w... File : ssl_weak_hash_ca.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-1291.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-740-1.nasl - Type : ACT_GATHER_INFO |
2009-02-05 | Name : The remote Fedora host is missing a security update. File : fedora_2009-1276.nasl - Type : ACT_GATHER_INFO |
2009-01-05 | Name : An SSL certificate in the certificate chain has been signed using a weak hash... File : ssl_weak_hash.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-12-09 13:25:25 |
|
2014-02-17 11:38:47 |
|