CVE-2014-1295

Apple iOS < 7.1.1, OS X 10.8.x-10.9.2, and TVOS < 6.1.1 - Improper Authentication via Triple Handshake Attack

Title source: llm
STIX 2.1

Description

Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."

References (4)

Core 4
Core References
Third Party Advisory vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html
Third Party Advisory vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-04/0136.html
Third Party Advisory vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-04/0135.html
Exploit x_refsource_misc
https://secure-resumption.com/

Scores

EPSS 0.0094
EPSS Percentile 56.3%

Details

CWE
CWE-287
Status published
Products (21)
apple/iphone_os 7.0
apple/iphone_os 7.0.1
apple/iphone_os 7.0.2
apple/iphone_os 7.0.3
apple/iphone_os 7.0.4
apple/iphone_os 7.0.5
apple/iphone_os 7.0.6
apple/iphone_os < 7.1
apple/mac_os_x 10.9
apple/mac_os_x 10.9.1
... and 11 more
Published Apr 23, 2014
Tracked Since Feb 18, 2026