首页 > 最新消息
News最新消息
    • 2014
    • -
    • 02
    • -
    • 27
  • Apple bug in TLS/SSL can be detected with Codenomicon Defensics

    Innovative Defensics feature now looks for authentication bypass vulnerabilities

     

    SAN FRANCISCO, February 27 - Codenomicon introduces new SafeGuard feature-set to its Defensics testing solution. The new SafeGuard feature reveals even more bugs than before. The new Defensics analyzes scanned system for behavioral flaws, such as insufficient certificate chain validation during TLS/SSL handshake, while testing for unknown vulnerabilities. The automated analysis performed by Defensics SafeGuard is able to locate the subtle security vulnerabilities that may not cause system crash, yet affect system security and heretofore have eluded many top security researchers

     

    This week, Apple shipped a security resolving a crucial certificate-validation vulnerability in its OS X Mavericks and iOS operating systems. On unpatched systems, the bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, allowing an attacker with a privileged network position to capture or modify data in sessions that should otherwise be protected by TLS/SSL protocols.

     

    Earlier, Codenomicon discovered and helped to fix a similar vulnerability in strongSwan VPN software (CVE-2012-2388) which allows remote attackers to bypass authentication via an empty or zeroed RSA signature.

     

    The TLS SafeGuard feature, to detect authentication bypass class of vulnerabilities, is now integrated Defensics and allows Defensics users the ability to test their existing systems for this as well as similar cryptographic weaknesses, previously known or unknown.