CVE-2023-5594 - OpenCVE

Improper validation of the server’s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eset	Endpoint Antivirus Endpoint Security File Security Internet Security Mail Security Nod32 Antivirus Security Server Security Smart Security

Configuration 1 [-]

OR	cpe:2.3:a:eset:endpoint_antivirus::::::linux::*
	cpe:2.3:a:eset:endpoint_antivirus:-:::::windows::
	cpe:2.3:a:eset:endpoint_security:-:::::windows::
	cpe:2.3:a:eset:file_security:-:::::azure::
	cpe:2.3:a:eset:internet_security:-:::::::*
	cpe:2.3:a:eset:mail_security:-:::::domino::
	cpe:2.3:a:eset:mail_security:-:::::exchange_server::
	cpe:2.3:a:eset:nod32_antivirus:-:::::::*
	cpe:2.3:a:eset:security:-:::::sharepoint_server::
	cpe:2.3:a:eset:security:-::::ultimate:::
	cpe:2.3:a:eset:server_security::::::linux::*
	cpe:2.3:a:eset:server_security:-:::::windows_server::
	cpe:2.3:a:eset:smart_security:-::::premium:::

No data.

References

Link	Providers
https://support.eset.com/en/ca8562-eset-customer-advisory-improper-following-of-a-certificates-chain-of-trust-in-eset-security-products-fixed

History

No history.

MITRE

Status: PUBLISHED

Assigner: ESET

Published: 2023-12-21T11:30:41.256Z

Updated: 2024-08-02T08:07:32.481Z

Reserved: 2023-10-16T08:12:50.985Z

Link: CVE-2023-5594

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-21T12:15:08.293

Modified: 2024-01-04T13:50:12.723

Link: CVE-2023-5594

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5594", "assignerOrgId": "4a9b9929-2450-4021-b7b9-469a0255b215", "state": "PUBLISHED", "assignerShortName": "ESET", "dateReserved": "2023-10-16T08:12:50.985Z", "datePublished": "2023-12-21T11:30:41.256Z", "dateUpdated": "2024-08-02T08:07:32.481Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET NOD32 Antivirus", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Internet Security", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Smart Security Premium", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Security Ultimate", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Endpoint Antivirus", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Endpoint Security", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Endpoint Antivirus for Linux 10.0 and above", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Server Security for Windows Server", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Mail Security for Microsoft Exchange Server", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Mail Security for IBM Domino", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Security for Microsoft SharePoint Server", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET File Security for Microsoft Azure", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}, {"defaultStatus": "unaffected", "modules": ["Internet protection module"], "product": "ESET Server Security for Linux 10.1 and above ", "vendor": "ESET, spol. s r.o.", "versions": [{"status": "unaffected", "version": "1464"}]}], "datePublic": "2023-12-20T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper validation of the server\u2019s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted."}], "value": "Improper validation of the server\u2019s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4a9b9929-2450-4021-b7b9-469a0255b215", "shortName": "ESET", "dateUpdated": "2023-12-21T11:30:41.256Z"}, "references": [{"url": "https://support.eset.com/en/ca8562-eset-customer-advisory-improper-following-of-a-certificates-chain-of-trust-in-eset-security-products-fixed"}], "source": {"advisory": "ca8562", "discovery": "UNKNOWN"}, "title": "Improper following of a certificate's chain of trust\u202fin ESET security products", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:07:32.481Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.eset.com/en/ca8562-eset-customer-advisory-improper-following-of-a-certificates-chain-of-trust-in-eset-security-products-fixed", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eset:endpoint_antivirus:*:*:*:*:*:linux:*:*", "matchCriteriaId": "1B5C405E-3150-40F5-882D-C07A4955C996", "versionStartIncluding": "10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:endpoint_antivirus:-:*:*:*:*:windows:*:*", "matchCriteriaId": "439FC2E0-2FE4-4916-8E2C-119450608680", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:endpoint_security:-:*:*:*:*:windows:*:*", "matchCriteriaId": "99F0D178-E466-461D-B404-D2958D12B1A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:file_security:-:*:*:*:*:azure:*:*", "matchCriteriaId": "207E6D02-A9FB-4B1F-ABEA-BEBDA67E31A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:internet_security:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2CAD248-1F32-4459-A530-8706E334C67F", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:mail_security:-:*:*:*:*:domino:*:*", "matchCriteriaId": "5043B5B1-38B2-4621-B738-A79E5DF8D98E", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:mail_security:-:*:*:*:*:exchange_server:*:*", "matchCriteriaId": "DE40A56E-EBC0-43C8-85FB-868802B4817F", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:nod32_antivirus:-:*:*:*:*:*:*:*", "matchCriteriaId": "6253FAFB-0AE6-494A-950D-EB0EB15E982C", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:security:-:*:*:*:*:sharepoint_server:*:*", "matchCriteriaId": "D6CCDFB5-D27D-40F5-9BFC-274DA84783E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:security:-:*:*:*:ultimate:*:*:*", "matchCriteriaId": "F86A88FA-CAB9-4937-AE8D-4FA22EF4D380", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:server_security:*:*:*:*:*:linux:*:*", "matchCriteriaId": "90DDE40D-605C-4465-A647-D3BD14B13E46", "versionStartIncluding": "10.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:server_security:-:*:*:*:*:windows_server:*:*", "matchCriteriaId": "74BC745B-A4C5-4EAE-B985-78FDA3C40516", "vulnerable": true}, {"criteria": "cpe:2.3:a:eset:smart_security:-:*:*:*:premium:*:*:*", "matchCriteriaId": "375F46B4-9FDF-48FB-935A-8BB6FEF5221A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper validation of the server\u2019s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted."}, {"lang": "es", "value": "La validaci\u00f3n incorrecta de la cadena de certificados del servidor en la funci\u00f3n de escaneo de tr\u00e1fico seguro consider\u00f3 que el certificado intermedio firmado utilizando el algoritmo MD5 o SHA1 era confiable."}], "id": "CVE-2023-5594", "lastModified": "2024-01-04T13:50:12.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security@eset.com", "type": "Secondary"}]}, "published": "2023-12-21T12:15:08.293", "references": [{"source": "security@eset.com", "tags": ["Vendor Advisory"], "url": "https://support.eset.com/en/ca8562-eset-customer-advisory-improper-following-of-a-certificates-chain-of-trust-in-eset-security-products-fixed"}], "sourceIdentifier": "security@eset.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "security@eset.com", "type": "Secondary"}]}