[Forgot Password]
Login  Register Subscribe

23631

 
 

122183

 
 

98060

 
 

909

 
 

79198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2009-2408

Date: (C)2009-07-30   (M)2017-11-18 


Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

CVSS Score: 6.8Access Vector: NETWORK
Exploit Score: 8.6Access Complexity: MEDIUM
Impact Score: 6.4Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: PARTIAL
 Availability: PARTIAL





Reference:
SUNALERT-1021030
SECTRACK-1022632
SECUNIA-36088
SECUNIA-36125
SECUNIA-36139
SECUNIA-36157
SECUNIA-36434
SECUNIA-36669
SECUNIA-37098
OSVDB-56723
ADV-2009-2085
ADV-2009-3184
DSA-1874
MDVSA-2009:197
MDVSA-2009:216
MDVSA-2009:217
RHSA-2009:1207
RHSA-2009:1432
SUSE-SA:2009:048
SUSE-SR:2009:018
USN-810-1
USN-810-2
http://marc.info/?l=oss-security&m=125198917018936&w=2
http://isc.sans.org/diary.html?storyid=7003
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
http://www.wired.com/threatlevel/2009/07/kaminsky/
https://bugzilla.redhat.com/show_bug.cgi?id=510251

CPE    143
cpe:/a:mozilla:firefox:0.8
cpe:/a:mozilla:firefox:0.7
cpe:/a:mozilla:firefox:0.9
cpe:/a:mozilla:firefox:0.2
...
CWE    1
CWE-20
OVAL    25
oval:org.secpod.oval:def:300558
oval:org.secpod.oval:def:1600298
oval:org.secpod.oval:def:1300222
oval:org.secpod.oval:def:300598
...

© 2013 SecPod Technologies