CVE-2008-3323 - Vulnerability Details - OpenCVE

setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Cygwin

Configuration 1 [-]

cpe:2.3:a:redhat:cygwin:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html
http://secunia.com/advisories/31271
http://securityreason.com/securityalert/4051
http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt
http://www.securityfocus.com/archive/1/494756/100/0/threaded
http://www.securityfocus.com/bid/30375
http://www.vupen.com/english/advisories/2008/2321
https://bugzilla.redhat.com/show_bug.cgi?id=449929
https://exchange.xforce.ibmcloud.com/vulnerabilities/44047
https://nvd.nist.gov/vuln/detail/CVE-2008-3323
https://www.cve.org/CVERecord?id=CVE-2008-3323

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-07-28T17:00:00

Updated: 2024-08-07T09:37:26.716Z

Reserved: 2008-07-25T00:00:00

Link: CVE-2008-3323

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-07-28T17:41:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-3323

Redhat

Severity :

Publid Date: 2008-07-25T00:00:00Z

Links: CVE-2008-3323 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-07-25T00:00:00", "descriptions": [{"lang": "en", "value": "setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2008-2321", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2321"}, {"tags": ["x_refsource_MISC"], "url": "http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt"}, {"name": "cygwin-setup-weak-security(44047)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44047"}, {"name": "20080725 SECOBJADV-2008-02: Cygwin Installation and Update Process can be Subverted Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/494756/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=449929"}, {"name": "30375", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/30375"}, {"name": "4051", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/4051"}, {"name": "[cygwin-announce] 20080805 Updated: Setup.exe updated to version 2.573.2.3", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html"}, {"name": "31271", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31271"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-3323", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2008-2321", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2321"}, {"name": "http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt", "refsource": "MISC", "url": "http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt"}, {"name": "cygwin-setup-weak-security(44047)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44047"}, {"name": "20080725 SECOBJADV-2008-02: Cygwin Installation and Update Process can be Subverted Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/494756/100/0/threaded"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=449929", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=449929"}, {"name": "30375", "refsource": "BID", "url": "http://www.securityfocus.com/bid/30375"}, {"name": "4051", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/4051"}, {"name": "[cygwin-announce] 20080805 Updated: Setup.exe updated to version 2.573.2.3", "refsource": "MLIST", "url": "http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html"}, {"name": "31271", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31271"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:37:26.716Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2008-2321", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2321"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt"}, {"name": "cygwin-setup-weak-security(44047)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44047"}, {"name": "20080725 SECOBJADV-2008-02: Cygwin Installation and Update Process can be Subverted Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/494756/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=449929"}, {"name": "30375", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/30375"}, {"name": "4051", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/4051"}, {"name": "[cygwin-announce] 20080805 Updated: Setup.exe updated to version 2.573.2.3", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html"}, {"name": "31271", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31271"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-3323", "datePublished": "2008-07-28T17:00:00", "dateReserved": "2008-07-25T00:00:00", "dateUpdated": "2024-08-07T09:37:26.716Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cygwin:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA6AC2AF-EA55-4530-8B2E-9F531FF207FA", "versionEndIncluding": "1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "setup.exe before 2.573.2.3 in Cygwin does not properly verify the authenticity of packages, which allows remote Cygwin mirror servers or man-in-the-middle attackers to execute arbitrary code via a package list containing the MD5 checksum of a Trojan horse package."}, {"lang": "es", "value": "setup.exe anterior a v2.573.2.3 en Cygwin no verifica correctamente la autenticidad de los paquetes, lo que permite a los servidores espejo remotos Cygwin o a los atacantes \"man-in-the-middle\" ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de una lista de paquetes conteniendo una verificaci\u00f3n de suma MD5 de un paquete troyano."}], "id": "CVE-2008-3323", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-07-28T17:41:00.000", "references": [{"source": "cve@mitre.org", "url": "http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/31271"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/4051"}, {"source": "cve@mitre.org", "url": "http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/494756/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/30375"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/2321"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=449929"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44047"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cygwin.com/ml/cygwin-announce/2008-08/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/31271"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/4051"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/494756/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/30375"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/2321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=449929"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44047"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}