製品・ソフトウェアに関する情報

JVN脆弱性詳細

Outlook などで使用される Microsoft Crypto API におけるポートスキャンの結果を取得される脆弱性

Title	Outlook などで使用される Microsoft Crypto API におけるポートスキャンの結果を取得される脆弱性
Summary	Outlook、Windows Live Mail および Office 2007 で使用される Microsoft Crypto API は、(1) S/MIME の電子メールメッセージまたは (2) 符号化された文書が組み込まれた証明書からの任意の URL を使用することで Certificate Revocation List (CRL) チェックを実行するため、受信者の読み時間および IP アドレス、ポートスキャンの結果を取得される脆弱性が存在します。
Possible impacts	第三者により、Authority Information Access (AIA) 拡張を持つ巧妙に細工された証明書を介して、受信者の読み時間および IP アドレス、ポートスキャンの結果を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	July 7, 2008, midnight
Registration Date	Sept. 25, 2012, 5:17 p.m.
Last Update	Sept. 25, 2012, 5:17 p.m.

Affected System

マイクロソフト

Microsoft Office 2003 2007

Microsoft Outlook

Windows Live Mail

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-3068	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3068
National Vulnerability Database (NVD)
2	CVE-2008-3068	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3068

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-DesignError	https://www.ipa.go.jp/security/vuln/CWE.html#CWEDesignError

ベンダー情報

No	Name	URL
Microsoft
1	Office	http://office.microsoft.com/ja-jp/

Change Log

No	Changed Details	Date of change
0	[2012年09月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-3068

Summary	Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.
Publication Date	July 8, 2008, 8:41 a.m.
Registration Date	Jan. 29, 2021, 1:38 p.m.
Last Update	Oct. 12, 2018, 5:45 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:access:2007:::::::*
cpe:2.3:a:microsoft:excel:2003:::::::*
cpe:2.3:a:microsoft:excel:2007:::::::*
cpe:2.3:a:microsoft:frontpage:2003:::::::*
cpe:2.3:a:microsoft:groove:2007:::::::*
cpe:2.3:a:microsoft:infopath:2003:::::::*
cpe:2.3:a:microsoft:infopath:2007:::::::*
cpe:2.3:a:microsoft:office:2007:::::::*
cpe:2.3:a:microsoft:office:2007:sp1::::::
cpe:2.3:a:microsoft:office_communicator:2007:::::::*
cpe:2.3:a:microsoft:onenote:2003:::::::*
cpe:2.3:a:microsoft:outlook:2003:::::::*
cpe:2.3:a:microsoft:outlook:2007:::::::*
cpe:2.3:a:microsoft:powerpoint:2003:::::::*
cpe:2.3:a:microsoft:powerpoint:2007:::::::*
cpe:2.3:a:microsoft:project_professional:2007:::::::*
cpe:2.3:a:microsoft:project_standard:2007:::::::*
cpe:2.3:a:microsoft:publisher:2003:::::::*
cpe:2.3:a:microsoft:publisher:2007:::::::*
cpe:2.3:a:microsoft:sharepoint_designer:2007:::::::*
cpe:2.3:a:microsoft:visio_professional:2007:::::::*
cpe:2.3:a:microsoft:visio_standard:2007:::::::*
cpe:2.3:a:microsoft:windows_live_mail:2008:::::::*

Related information, measures and tools

No	URL	refsource
1	http://securityreason.com/securityalert/3978	SREASON
2	http://www.securityfocus.com/archive/1/493947/100/0/threaded	BUGTRAQ
3	http://www.securityfocus.com/archive/1/494101/100/0/threaded	BUGTRAQ
4	http://www.securityfocus.com/bid/28548	BID
5	http://www.securitytracker.com/id?1019736	SECTRACK
6	http://www.securitytracker.com/id?1019737	SECTRACK
7	http://www.securitytracker.com/id?1019738	SECTRACK
8	https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt	MISC
9	https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt	MISC
10	https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt	MISC
11	https://www.cynops.de/techzone/http_over_x509.html	MISC
12	https://www.klink.name/security/aklink-sa-2008-002-outlook-smime.txt	MISC
13	https://www.klink.name/security/aklink-sa-2008-003-live-mail-smime.txt	MISC
14	https://www.klink.name/security/aklink-sa-2008-004-office2007-signatures.txt	MISC

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:access:2007:::::::*
cpe:2.3:a:microsoft:excel:2003:::::::*
cpe:2.3:a:microsoft:excel:2007:::::::*
cpe:2.3:a:microsoft:frontpage:2003:::::::*
cpe:2.3:a:microsoft:groove:2007:::::::*
cpe:2.3:a:microsoft:infopath:2003:::::::*
cpe:2.3:a:microsoft:infopath:2007:::::::*
cpe:2.3:a:microsoft:office:2007:::::::*
cpe:2.3:a:microsoft:office:2007:sp1::::::
cpe:2.3:a:microsoft:office_communicator:2007:::::::*
cpe:2.3:a:microsoft:onenote:2003:::::::*
cpe:2.3:a:microsoft:outlook:2003:::::::*
cpe:2.3:a:microsoft:outlook:2007:::::::*
cpe:2.3:a:microsoft:powerpoint:2003:::::::*
cpe:2.3:a:microsoft:powerpoint:2007:::::::*
cpe:2.3:a:microsoft:project_professional:2007:::::::*
cpe:2.3:a:microsoft:project_standard:2007:::::::*
cpe:2.3:a:microsoft:publisher:2003:::::::*
cpe:2.3:a:microsoft:publisher:2007:::::::*
cpe:2.3:a:microsoft:sharepoint_designer:2007:::::::*
cpe:2.3:a:microsoft:visio_professional:2007:::::::*
cpe:2.3:a:microsoft:visio_standard:2007:::::::*
cpe:2.3:a:microsoft:windows_live_mail:2008:::::::*