CVE Vulnerabilities

CVE-2016-1280

Improper Validation of Certificate with Host Mismatch

Published: Sep 09, 2016 | Modified: Sep 01, 2017
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

PKId in Juniper Junos OS before 12.1X44-D52, 12.1X46 before 12.1X46-D37, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R12, 12.3X48 before 12.3X48-D20, 13.3 before 13.3R10, 14.1 before 14.1R8, 14.1X53 before 14.1X53-D40, 14.2 before 14.2R7, 15.1 before 15.1R4, 15.1X49 before 15.1X49-D20, 15.1X53 before 15.1X53-D60, and 16.1 before 16.1R1 allow remote attackers to bypass an intended certificate validation mechanism via a self-signed certificate with an Issuer name that matches a valid CA certificate enrolled in Junos.

Weakness

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Affected Software

Name Vendor Start Version End Version
Junos Juniper * 12.1x44 (including)
Junos Juniper 12.1x46 (including) 12.1x46 (including)
Junos Juniper 12.1x46-d10 (including) 12.1x46-d10 (including)
Junos Juniper 12.1x46-d15 (including) 12.1x46-d15 (including)
Junos Juniper 12.1x46-d20 (including) 12.1x46-d20 (including)
Junos Juniper 12.1x46-d25 (including) 12.1x46-d25 (including)
Junos Juniper 12.1x46-d30 (including) 12.1x46-d30 (including)
Junos Juniper 12.1x46-d35 (including) 12.1x46-d35 (including)
Junos Juniper 12.1x47 (including) 12.1x47 (including)
Junos Juniper 12.1x47-d10 (including) 12.1x47-d10 (including)
Junos Juniper 12.1x47-d15 (including) 12.1x47-d15 (including)
Junos Juniper 12.1x47-d20 (including) 12.1x47-d20 (including)
Junos Juniper 12.1x47-d25 (including) 12.1x47-d25 (including)
Junos Juniper 12.3 (including) 12.3 (including)
Junos Juniper 12.3-r1 (including) 12.3-r1 (including)
Junos Juniper 12.3-r10 (including) 12.3-r10 (including)
Junos Juniper 12.3-r11 (including) 12.3-r11 (including)
Junos Juniper 12.3-r2 (including) 12.3-r2 (including)
Junos Juniper 12.3-r3 (including) 12.3-r3 (including)
Junos Juniper 12.3-r4 (including) 12.3-r4 (including)
Junos Juniper 12.3-r5 (including) 12.3-r5 (including)
Junos Juniper 12.3-r6 (including) 12.3-r6 (including)
Junos Juniper 12.3-r7 (including) 12.3-r7 (including)
Junos Juniper 12.3-r8 (including) 12.3-r8 (including)
Junos Juniper 12.3-r9 (including) 12.3-r9 (including)
Junos Juniper 12.3x48-d10 (including) 12.3x48-d10 (including)
Junos Juniper 12.3x48-d15 (including) 12.3x48-d15 (including)
Junos Juniper 12.3x50 (including) 12.3x50 (including)
Junos Juniper 13.3 (including) 13.3 (including)
Junos Juniper 13.3-r1 (including) 13.3-r1 (including)
Junos Juniper 13.3-r2 (including) 13.3-r2 (including)
Junos Juniper 13.3-r2-s2 (including) 13.3-r2-s2 (including)
Junos Juniper 13.3-r3 (including) 13.3-r3 (including)
Junos Juniper 13.3-r4 (including) 13.3-r4 (including)
Junos Juniper 13.3-r5 (including) 13.3-r5 (including)
Junos Juniper 13.3-r6 (including) 13.3-r6 (including)
Junos Juniper 13.3-r7 (including) 13.3-r7 (including)
Junos Juniper 13.3-r8 (including) 13.3-r8 (including)
Junos Juniper 13.3-r9 (including) 13.3-r9 (including)
Junos Juniper 14.1 (including) 14.1 (including)
Junos Juniper 14.1-r1 (including) 14.1-r1 (including)
Junos Juniper 14.1-r2 (including) 14.1-r2 (including)
Junos Juniper 14.1-r3 (including) 14.1-r3 (including)
Junos Juniper 14.1-r4 (including) 14.1-r4 (including)
Junos Juniper 14.1-r5 (including) 14.1-r5 (including)
Junos Juniper 14.1-r6 (including) 14.1-r6 (including)
Junos Juniper 14.1-r7 (including) 14.1-r7 (including)
Junos Juniper 14.1x53-d10 (including) 14.1x53-d10 (including)
Junos Juniper 14.1x53-d15 (including) 14.1x53-d15 (including)
Junos Juniper 14.1x53-d16 (including) 14.1x53-d16 (including)
Junos Juniper 14.1x53-d25 (including) 14.1x53-d25 (including)
Junos Juniper 14.1x53-d26 (including) 14.1x53-d26 (including)
Junos Juniper 14.1x53-d27 (including) 14.1x53-d27 (including)
Junos Juniper 14.1x53-d30 (including) 14.1x53-d30 (including)
Junos Juniper 14.1x53-d35 (including) 14.1x53-d35 (including)
Junos Juniper 14.2 (including) 14.2 (including)
Junos Juniper 14.2-r1 (including) 14.2-r1 (including)
Junos Juniper 14.2-r2 (including) 14.2-r2 (including)
Junos Juniper 14.2-r3 (including) 14.2-r3 (including)
Junos Juniper 14.2-r4 (including) 14.2-r4 (including)
Junos Juniper 14.2-r5 (including) 14.2-r5 (including)
Junos Juniper 14.2-r6 (including) 14.2-r6 (including)
Junos Juniper 15.1-r1 (including) 15.1-r1 (including)
Junos Juniper 15.1-r2 (including) 15.1-r2 (including)
Junos Juniper 15.1-r3 (including) 15.1-r3 (including)
Junos Juniper 15.1x49-d10 (including) 15.1x49-d10 (including)
Junos Juniper 15.1x53-d10 (including) 15.1x53-d10 (including)
Junos Juniper 15.1x53-d20 (including) 15.1x53-d20 (including)
Junos Juniper 15.1x53-d21 (including) 15.1x53-d21 (including)
Junos Juniper 15.1x53-d30 (including) 15.1x53-d30 (including)
Junos Juniper 15.1x53-d32 (including) 15.1x53-d32 (including)
Junos Juniper 15.1x53-d33 (including) 15.1x53-d33 (including)
Junos Juniper 15.1x53-d34 (including) 15.1x53-d34 (including)
Junos Juniper 16.1 (including) 16.1 (including)

Extended Description

Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. If the certificate’s host-specific data is not properly checked - such as the Common Name (CN) in the Subject or the Subject Alternative Name (SAN) extension of an X.509 certificate - it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data, impersonating a trusted host. In order to ensure data integrity, the certificate must be valid and it must pertain to the site that is being accessed. Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name. This weakness can occur even when the product uses Certificate Pinning, if the product does not verify the hostname at the time a certificate is pinned.

Potential Mitigations

References