----------------------------------------------------------------------

Secunia Network Software Inspector 2.0 (NSI) - Public Beta

The Public Beta has ended. Thanks to all that participated.

Learn more:
http://secunia.com/network_software_inspector_2/

----------------------------------------------------------------------

TITLE:
ThinkVantage System Update Missing SSL Certificate Chain Verification

SECUNIA ADVISORY ID:
SA30379

VERIFY ADVISORY:
http://secunia.com/advisories/30379/

CRITICAL:
Less critical

IMPACT:
Spoofing

WHERE:
>From remote

SOFTWARE:
ThinkVantage System Update 3.x
http://secunia.com/product/15450/

DESCRIPTION:
Derek Callaway has reported a security issue in ThinkVantage System
Update, which can be exploited by malicious people to conduct
spoofing attacks.

The problem is that the application does not perform SSL certificate
chain verification when connecting to the update server. 

Successful exploitation allows e.g. downloading and executing
malicious programs, but requires that the application connects to a
malicious update server providing a specially crafted X.509
certificate (e.g. via DNS poisoning).

The security issue is reported in version 3.13.0005. Other versions
may also be affected.

SOLUTION:
Update to version 3.14.
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-66956

PROVIDED AND/OR DISCOVERED BY:
Derek Callaway, Security Objectives

ORIGINAL ADVISORY:
SECOBJADV-2008-01:
http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------