This vulnerability allows cybercriminals to perform a man in the middle attack on the iSync application.
The iSync application does not perform a control, to check if the provided server hostname matches the domain name in the provided Common Name or subjectAltName field of the X.509 certificates.
The vulnerability allows hackers to perform a man in the middle attack by spoofing the SSL servers via arbitrary valid certificates. Fedora, Gentoo, Openwall published a report on the vulnerable iSync application.
This means that any host with a valid certificate could pretend to be the wanted host, as long as the certificate store contained the relevant root certificate. This could be used for man-in-the-middle attacks, which could be used to steal passwords.
Upgrade to the latest version of iSync.
The update can be installed with the “yum” update program. Use su -c ‘yum update isync’ at the command line. For more information, refer to “Managing Software with yum”, available at http://docs.fedoraproject.org/yum/.