Plattform
openssl
Komponente
openssl
Behoben in
0.9.0
0.9.0
CVE-2016-10931 affects versions of rust-openssl prior to 0.9.0, exposing applications to man-in-the-middle (MITM) attacks. This vulnerability stems from insecure default configurations, specifically the absence of certificate verification and a missing API for hostname verification. The issue is resolved in version 0.9.0 by enabling certificate verification by default and providing APIs for hostname verification using SslConnector and SslAcceptor.
The primary impact of CVE-2016-10931 is the potential for MITM attacks. Without proper certificate verification and hostname validation, an attacker can intercept and potentially modify network traffic between a client and server. This could lead to data breaches, credential theft, and the execution of malicious code. Applications relying on rust-openssl for secure communication are vulnerable if not properly configured. The lack of a hostname verification API further exacerbates the risk, as it prevents developers from implementing robust security checks.
CVE-2016-10931 was publicly disclosed on November 5, 2016. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for MITM attacks remains a significant concern. The vulnerability's impact is amplified by the widespread use of SSL/TLS in modern applications. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.18% (40% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2016-10931 is to upgrade to rust-openssl version 0.9.0 or later. This version includes certificate verification enabled by default and provides the necessary APIs for hostname verification. If upgrading is not immediately feasible, developers should manually configure certificate verification and implement hostname verification checks using the SslConnector and SslAcceptor types. Ensure that the application properly validates certificates and verifies the hostname against the certificate's subject. After upgrade, confirm by running a test application that utilizes SSL/TLS connections and verifies certificate validation is functioning correctly.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2016-10931 describes a vulnerability in rust-openssl versions before 0.9.0 where insecure defaults (disabled certificate verification, no hostname verification) allow man-in-the-middle attacks.
You are affected if your application uses rust-openssl versions prior to 0.9.0 and does not explicitly configure certificate verification and hostname verification.
Upgrade to rust-openssl version 0.9.0 or later. If upgrading isn't possible, configure certificate verification and hostname verification using SslConnector and SslAcceptor.
While no widespread campaigns are known, the vulnerability is attractive to targeted attacks and POC exploits are available.
Refer to the rust-openssl project's release notes and security advisories on their GitHub repository for details: https://github.com/rust-openssl/rust-openssl
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.