CVE-2009-2408

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2009-2408
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://isc.sans.org/diary.html?storyid=7003 Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html Mailing List
http://marc.info/?l=oss-security&m=125198917018936&w=2 Mailing List
http://osvdb.org/56723 Broken Link
http://secunia.com/advisories/36088 Broken Link Vendor Advisory
http://secunia.com/advisories/36125 Broken Link Vendor Advisory
http://secunia.com/advisories/36139 Broken Link Vendor Advisory
http://secunia.com/advisories/36157 Broken Link Vendor Advisory
http://secunia.com/advisories/36434 Broken Link Vendor Advisory
http://secunia.com/advisories/36669 Broken Link
http://secunia.com/advisories/37098 Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1 Broken Link
http://www.debian.org/security/2009/dsa-1874 Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197 Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216 Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2009:217 Broken Link
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html Vendor Advisory
http://www.novell.com/linux/security/advisories/2009_48_firefox.html Broken Link
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h Broken Link
http://www.redhat.com/support/errata/RHSA-2009-1207.html Broken Link
http://www.redhat.com/support/errata/RHSA-2009-1432.html Broken Link
http://www.securitytracker.com/id?1022632 Broken Link Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/usn-810-1 Third Party Advisory
http://www.vupen.com/english/advisories/2009/2085 Broken Link Vendor Advisory
http://www.vupen.com/english/advisories/2009/3184 Broken Link
http://www.wired.com/threatlevel/2009/07/kaminsky/ Press/Media Coverage
https://bugzilla.redhat.com/show_bug.cgi?id=510251 Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10751 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8458 Broken Link
https://usn.ubuntu.com/810-2/ Broken Link
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:opensuse:opensuse:*:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise:10.0:-:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise:11.0:-:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
History

No history.

Information

Published : 2009-07-30 19:30

Updated : 2024-02-14 17:21

NVD link : CVE-2009-2408

Mitre link : CVE-2009-2408

CVE.ORG link : CVE-2009-2408

JSON object : View

Products Affected

suse

  • linux_enterprise
  • linux_enterprise_server

canonical

  • ubuntu_linux

mozilla

  • firefox
  • thunderbird
  • seamonkey
  • network_security_services

opensuse

  • opensuse

debian

  • debian_linux
CWE
CWE-295

Improper Certificate Validation