HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-33
Microsoft Windows Secure Channel Security Package Authentication Bypass Vulnerability

Original Issue Date:March 12, 2009

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 Service pack 4
  • Microsoft Windows XP Service pack 2 and Service Pack 3
  • Microsoft Windows XP Professional x64 and Microsoft Windows XP Professional x64 Service Pack 2
  • Microsoft Windows Server 2003 Service Pack 1 and Service Pack 2
  • Microsoft Windows Server 2003 x64 and Microsoft Windows Server 2003 x64 service Pack 2
  • Microsoft Windows Server 2003 Service Pack 1 and Service Pack 2 for Itanium based System
  • Microsoft Windows Vista and Microsoft Windows Vista Service Pack 1
  • Microsoft Windows Vista x64 Edition and Microsoft Windows Vista x64 Edition Service Pack 1
  • Microsoft Windows Server 2008 for 32-bit, x64-based and Itanium-based Systems

Overview

Microsoft Windows Secure Channel (SChannel) security package is vulnerable to spoofing vulnerability, when using certificate based authentication.

Description

 The Secure Channel (SChannel) security package is a security support provider that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols.

This vulnerability exists due to insufficient validation of certain client server certificate exchanges by the SChannel authentication component during certificate based authentication. By sending specially crafted Transport Layer Security (TLS) packets attacker could impersonate an authorized user.

Workaround

  • Users can implement Active Directory certificate mapping, which is not affected by this vulnerability.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-007.mspx

References

 Secunia
http://secunia.com/advisories/34215/

SecurityFocus
http://www.securityfocus.com/bid/34015

CVE Name
CVE-2009-0085

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003