Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Abonnez-vous gratuitement à notre NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Se désabonner

Vigil@nce - FreeBSD : no signature control by pkg

octobre 2015 par Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can exploit an incomplete configuration of pkg(7) in
FreeBSD, in order to perform a Man-in-the-middle.

Impacted products : FreeBSD.

Severity : 2/4.

Creation date : 26/08/2015.

DESCRIPTION OF THE VULNERABILITY

The FreeBSD product offers the pkg utility to install packets.

The pkg(8) tool is a rich-client. The pkg(7) tool is used to
install pkg(8). The signature_type parameter of the pkg.conf file
indicates the type of signature used to check the authenticity of
a packet.

However, when pkg(7) does not know the value of the signature_type
parameter, it interprets it as the value "none", and does not
control the integrity of the packet to install.

An attacker can therefore exploit an incomplete configuration of
pkg(7) in FreeBSD, in order to perform a Man-in-the-middle.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/FreeBSD-no-signature-control-by-pkg-17750


Voir les articles précédents

    

Voir les articles suivants