[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2009-2408

Date: (C)2009-07-30   (M)2017-09-22
 
CVSS Score: 6.8Access Vector: NETWORK
Exploitability Subscore: 8.6Access Complexity: MEDIUM
Impact Subscore: 6.4Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: PARTIAL
 Availability: PARTIAL











Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Reference:
SUNALERT-1021030
SECTRACK-1022632
SECUNIA-36088
SECUNIA-36125
SECUNIA-36139
SECUNIA-36157
SECUNIA-36434
SECUNIA-36669
SECUNIA-37098
OSVDB-56723
ADV-2009-2085
ADV-2009-3184
DSA-1874
MDVSA-2009:197
MDVSA-2009:216
MDVSA-2009:217
RHSA-2009:1207
RHSA-2009:1432
SUSE-SA:2009:048
SUSE-SR:2009:018
USN-810-1
USN-810-2
http://marc.info/?l=oss-security&m=125198917018936&w=2
http://isc.sans.org/diary.html?storyid=7003
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
http://www.wired.com/threatlevel/2009/07/kaminsky/
https://bugzilla.redhat.com/show_bug.cgi?id=510251

CPE    143
cpe:/a:mozilla:thunderbird:2.0.0.22
cpe:/a:mozilla:seamonkey:1.1.17
cpe:/a:mozilla:seamonkey:1.1:beta
cpe:/a:mozilla:seamonkey:1.1:alpha
...
CWE    1
CWE-20
OVAL    25
oval:org.secpod.oval:def:300558
oval:org.secpod.oval:def:1600298
oval:org.mitre.oval:def:8111
oval:org.secpod.oval:def:1300222
...

© 2013 SecPod Technologies