SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Network Security Services (NSS) Vendors:   Mozilla.org
Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
SecurityTracker Alert ID:  1022631
SecurityTracker URL:  http://securitytracker.com/id/1022631
CVE Reference:   CVE-2009-2409   (Links to External Site)
Date:  Jul 31 2009
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.12.3
Description:   A vulnerability was reported in Network Security Services. A remote user may be create certificates that appear to be valid for arbitrary sites. OpenSSL, GnuTLS, Mozilla Firefox, and other applications are affected.

A remote user that is able to create a certificate that has the same MD2 hash signature as a trusted Certificate Authority root certificate can issue valid SSL certificates for arbitrary sites.

Dan Kaminsky reported this vulnerability.

Impact:   A remote user may be able to issue valid SSL certificates for arbitrary sites in certain cases.
Solution:   The vendor has issued a version (3.12.3) that disables the use of MD2 by default.

[Editor's note: An application can re-enable MD2 if required.]

Vendor URL:  www.mozilla.org/projects/security/pki/nss/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 31 2009 (Red Hat Issues Fix) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Jul 31 2009 (Red Hat Issues Fix) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Jul 31 2009 (Red Hat Issues Fix) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has released a fix for Red Hat Enterprise Linux 4.7 Extended Update Support.
Aug 12 2009 (Red Hat Issues Fix) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has released a fix for Red Hat Enterprise Linux 5.2 Extended Update Support.
Sep 10 2009 (Red Hat Issues Fix for Mozilla Seamonkey) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has released a fix for Mozilla Seamonkey for Red Hat Enterprise Linux 3.
Jan 7 2010 (VMware Issues Fix for ESX) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
VMware has issued a fix for VMware ESX 4.0.
Jan 20 2010 (Red Hat Issues Fix for OpenSSL) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has issued a fix for OpenSSL for Red Hat Enterprise Linux 5.
Mar 26 2010 (Red Hat Issues Fix for GnuTLS) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Red Hat has issued a fix for gnutls for Red Hat Enterprise Linux 5.
Oct 17 2014 (Oracle Issues Fix for Solaris) Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Oracle has issued a fix for Solaris 9 and 10.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC