CVE-2014-0350 in POCO C++ Libraries
Summary
by MITRE
The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are requested during comparison of a server name to a wildcard domain name in an X.509 certificate.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/12/2026
The vulnerability described in CVE-2014-0350 represents a critical security flaw within the POCO C++ Libraries' NetSSL implementation that fundamentally undermines the integrity of SSL/TLS certificate validation processes. This issue specifically targets the Poco::Net::X509Certificate::verify method which is responsible for validating X.509 certificates during secure communications. The flaw occurs during the comparison process between server names and wildcard domain names within certificates, creating an avenue for sophisticated man-in-the-middle attacks that can bypass standard certificate validation mechanisms.
The technical implementation of this vulnerability stems from improper handling of DNS PTR record resolution during certificate validation. When a client attempts to establish a secure connection, the system performs a comparison between the server's hostname and the wildcard domain patterns specified in the X.509 certificate. The flaw allows attackers to craft malicious DNS PTR records that can manipulate this comparison process, effectively causing the system to accept forged certificates that should otherwise be rejected. This manipulation specifically affects the validation logic that handles wildcard domain matching, where the system incorrectly interprets crafted PTR records as legitimate verification data.
The operational impact of this vulnerability extends far beyond simple certificate validation failures, creating significant risks for any system relying on POCO C++ Libraries for secure communications. Attackers can exploit this weakness to impersonate legitimate servers, intercept sensitive data transmission, and conduct unauthorized access to protected resources. The vulnerability particularly affects web applications, secure messaging systems, and any network services that depend on SSL/TLS certificate validation for authentication. Organizations using affected versions of POCO C++ Libraries face potential data breaches, unauthorized system access, and compromise of sensitive communications that could result in substantial financial and reputational damage.
This vulnerability aligns with CWE-295 which specifically addresses improper certificate validation and represents a variant of certificate spoofing attacks that fall under the ATT&CK framework's T1552.001 technique for "Credentials In Files" and T1046 for "Network Service Scanning." The attack vector demonstrates how DNS-based manipulation can be leveraged to bypass security controls, highlighting the importance of robust certificate validation mechanisms. Organizations should immediately update to POCO C++ Libraries version 1.4.6p4 or later to mitigate this risk, while also implementing additional monitoring for anomalous DNS PTR record behavior. Security teams should also consider implementing certificate pinning mechanisms and additional validation layers to protect against similar vulnerabilities in other cryptographic libraries that may share similar implementation patterns.