FreeBSD : libcloud -- possible SSL MITM due to invalid regexp used to validate target server hostname (a14dee30-e3d7-11e1-a084-50e5492bd3dc)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The libcloud development team reports :

When establishing a secure (SSL / TLS) connection to a target server
an invalid regular expression has been used for performing the
hostname verification. Subset instead of the full target server
hostname has been marked an an acceptable match for the given
hostname. For example, certificate with a hostname field of
'aexample.com' was considered a valid certificate for domain
'example.com'.

See also :

http://seclists.org/fulldisclosure/2012/Aug/55
http://www.nessus.org/u?b3d33fb0

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 61503 ()

Bugtraq ID:

CVE ID: CVE-2012-3446

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now