WEB-1738SSL Certificate - Subject Common Name Does Not Match Server FQDN
QID:38170Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:10/11/2019User Modified:-Edited:NoPCI Vuln:No
THREAT:An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
A certificate whose Subject commonName or subjectAltName does not match the server FQDN offers only encryption without authentication.
Please note that a false positive reporting of this vulnerability is possible in the following case:
If the common name of the certificate uses a wildcard such as *.somedomainname.com and the reverse DNS resolution of the target IP is not configured. In this case there is no way for Qualys to associate the wildcard common name to the IP. Adding a reverse DNS lookup entry to the target IP will solve this problem.
IMPACT:A man-in-the-middle attacker can exploit this vulnerability in tandem with a DNS cache poisoning attack to lure the client to another server, and then steal all the encryption communication.
SOLUTION:Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN.
COMPLIANCE:Not Applicable
EXPLOITABILITY:There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:There is no malware information for this vulnerability.
RESULTS:
Certificate#0CN=sni.msft.default.wpc.edgecastcdn.net,OU=SecOps,O=Verizon_Digital_Media_Services\,_Inc.,L=Los_Angeles,ST=California,C=US (sni.msft.default.wpc.edgecastcdn.net) doesn't resolve
(newsslide-ppg.azureedge.net) and IP (152.199.21.175) don't match
(static.secureholiday.net) and IP (152.199.21.175) don't match
(cdn.scheduleonce.com) and IP (152.199.21.175) don't match
(az815563.vo.msecnd.net) and IP (152.199.21.175) don't match
(buy.advantech.com) and IP (152.199.21.175) don't match
(cdn2.resumehelp.com) and IP (152.199.21.175) don't match
(cn.amari.com) and IP (152.199.21.175) don't match
(cdn.forbesmiddleeast.com) and IP (152.199.21.175) don't match
(img.raymond.cc) and IP (152.199.21.175) don't match
(cdn.gremyo.com) doesn't resolve
(imagenesliteraturasm.azureedge.net) doesn't resolve
(lp-cdn.lastpass.com) and IP (152.199.21.175) don't match
(www.emaar.com) and IP (152.199.21.175) don't match
(limespot.azureedge.net) and IP (152.199.21.175) don't match
(www.scottdunn.com) and IP (152.199.21.175) don't match
(cdn2.akdapi.com) and IP (152.199.21.175) don't match
(cdn.aki.pt) and IP (152.199.21.175) don't match
(cdn.smemarkethub.com) and IP (152.199.21.175) don't match
(www.bfgoodrichtires.ca) and IP (152.199.21.175) don't match
(cdn.isagenix.com) and IP (152.199.21.175) don't match
(origincdn.azureedge.net) doesn't resolve
(azhls.meridix.com) and IP (152.199.21.175) don't match
(mrcoopercdn.azureedge.net) and IP (152.199.21.175) don't match
(tysonscore2.azureedge.net) doesn't resolve
(cdn.tangiblee.com) and IP (152.199.21.175) don't match
(mcprdmarketing.azureedge.net) and IP (152.199.21.175) don't match
(resources.fortvision.com) and IP (152.199.21.175) don't match
(www.borealisgroup.com) and IP (152.199.21.175) don't match
(www.aam.com) and IP (152.199.21.175) don't match
(cav.missycoupons.com) and IP (152.199.21.175) don't match
(cdn-eu.trustev.com) and IP (152.199.21.175) don't match
(buy.advantech.com.cn) and IP (152.199.21.175) don't match
(newsslide-blade.azureedge.net) and IP (152.199.21.175) don't match
(www.royalhighlandshow.org) and IP (152.199.21.175) don't match
(optimize.adpushup.com) doesn't resolve
(www.franchiseopportun
