CVE-2004-2761

{"id": "CVE-2004-2761", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-01-05T20:30:02.140", "references": [{"url": "http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/", "source": "cve@mitre.org"}, {"url": "http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/33826", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/34281", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/42181", "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/4866", "source": "cve@mitre.org"}, {"url": "http://securitytracker.com/id?1024697", "source": "cve@mitre.org"}, {"url": "http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html", "source": "cve@mitre.org"}, {"url": "http://www.doxpara.com/research/md5/md5_someday.pdf", "source": "cve@mitre.org"}, {"url": "http://www.kb.cert.org/vuls/id/836068", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.microsoft.com/technet/security/advisory/961509.mspx", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.phreedom.org/research/rogue-ca/", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/499685/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/33065", "source": "cve@mitre.org"}, {"url": "http://www.ubuntu.com/usn/usn-740-1", "source": "cve@mitre.org"}, {"url": "http://www.win.tue.nl/hashclash/SoftIntCodeSign/", "source": "cve@mitre.org"}, {"url": "http://www.win.tue.nl/hashclash/rogue-ca/", "source": "cve@mitre.org"}, {"url": "https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php", "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=648886", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935", "source": "cve@mitre.org"}, {"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888", "source": "cve@mitre.org"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "source": "cve@mitre.org"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0837.html", "source": "cve@mitre.org"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0838.html", "source": "cve@mitre.org"}, {"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03814en_us", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00096.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate."}, {"lang": "es", "value": "El algoritmo MD5 Message-Digest no resistente a colisi\u00f3n, el cual hace m\u00e1s f\u00e1cil para atacantes dependientes de contexto, llevar a cabo ataques de suplantaci\u00f3n, como lo demuestran los ataques de utilizaci\u00f3n de MD5 en la firma del algoritmo de un certificado X.509."}], "lastModified": "2018-10-19T15:30:59.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ietf:md5:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DFFBAC4-D50D-4CC4-A12C-9708D3C1199C"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ietf:x.509_certificate:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3009C5D9-9EF8-43B2-BF17-DEBC497994B5"}], "operator": "OR"}], "operator": "AND"}], "vendorComments": [{"comment": "Please see http://kbase.redhat.com/faq/docs/DOC-15379", "lastModified": "2009-01-07T00:00:00", "organization": "Red Hat"}], "evaluatorImpact": "There are four significant mitigating factors.\n\n1) Most enterprise-class certificates, such as VeriSign\u2019s Extended Validation SSL Certificates use the still secure SHA-1 hash function. \n\n2) Certificates already issued with MD5 signatures are not at risk.  The exploit only affects new certificate acquisitions. \n\n3) CAs are quickly moving to replace MD5 with SHA-1.  For example, VeriSign was planning to phase out MD5 by the end of January 2009.  The date was pushed up due to the December proof of concept.  On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures. \n\n4)The researchers did not release the under-the-hood specifics of how the exploit was executed. \n\nSource - http://www.techrepublic.com/blog/it-security/the-new-md5-ssl-exploit-is-not-the-end-of-civilization-as-we-know-it/?tag=nl.e036", "sourceIdentifier": "cve@mitre.org"}