CVE-2010-3868

Description

Red Hat Certificate System (RHCS) 7.3 and 8 and Dogtag Certificate System do not require authentication for requests to decrypt SCEP one-time PINs, which allows remote attackers to obtain PINs by sniffing the network for SCEP requests and then sending decryption requests to the Certificate Authority component.

Affected products

• RedHat / certificate_system7.3 – 7.3
• RedHat / certificate_system8 – 8
• RedHat / dogtag_certificate_system

References

• MISChttps://rhn.redhat.com/errata/RHSA-2010-0837.html
• MISChttp://www.osvdb.org/69149
• MISChttps://bugzilla.redhat.com/show_bug.cgi?id=648882
• MISChttps://rhn.redhat.com/errata/RHSA-2010-0838.html
• MISChttp://securitytracker.com/id?1024697
• MISChttps://fedorahosted.org/pki/changeset/1261
• VENDOR_ADVISORYhttp://secunia.com/advisories/42181