Overview
Install Norton Security for Mac, prior to version 7.6, does not validate SSL certificates.
Description
CWE-295: Improper Certificate Validation - CVE-2017-15528 The Install Norton Security for Mac installer, versions prior to 7.6, fails to properly validate SSL certificates provided by HTTPS connections, which can allow an attacker to obtain a Man-in-the-Middle position. |
Impact
An attacker with a Man-in-the-Middle position can spoof content retrieved using HTTPS. |
Solution
Use Updated Installer Symantec has released an updated installer, version 7.6, to address the vulnerability. Please see more information at Symantec's advisory. |
Vendor Information
681983
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| Temporal | 5.1 | E:ND/RL:ND/RC:ND |
| Environmental | 1.3 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to David for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2017-15528 |
| Date Public: | 2017-11-21 |
| Date First Published: | 2017-11-21 |
| Date Last Updated: | 2017-11-21 21:21 UTC |
| Document Revision: | 10 |