#VU41273 Cryptographic issues in Portage - CVE-2013-2100

Cybersecurity Help s.r.o.

Published: 2014-09-30 | Updated: 2020-08-10

Vulnerability identifier: #VU41273

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2013-2100

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Portage
Other software / Other software solutions

Vendor: Gentoo

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Portage: 2.1.12

External links
https://openwall.com/lists/oss-security/2013/05/15/5
https://openwall.com/lists/oss-security/2013/05/16/3
https://www.securityfocus.com/bid/59878
https://bugs.gentoo.org/show_bug.cgi?id=469888
https://exchange.xforce.ibmcloud.com/vulnerabilities/84315
https://security.gentoo.org/glsa/201507-16

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Portage

Cryptographic issues in Gentoo Portage