SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Network Security Services (NSS) Vendors:   Mozilla.org
Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
SecurityTracker Alert ID:  1022632
SecurityTracker URL:  http://securitytracker.com/id/1022632
CVE Reference:   CVE-2009-2408   (Links to External Site)
Date:  Jul 31 2009
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.12.3
Description:   A vulnerability was reported in Network Security Services. A remote user can spoof certificates of arbitrary sites. Mozilla Firefox is affected.

A remote user can create a certificate with a specially crafted Common Name field that contains a NULL character. Once the certificate is signed by a Certificate Authority, the certificate can be used to spoof a target site's certificate.

Dan Kaminsky reported this vulnerability.

Impact:   A remote user can spoof certificates of arbitrary sites.
Solution:   The vendor has issued a fix (3.12.3).
Vendor URL:  www.mozilla.org/projects/security/pki/nss/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 31 2009 (Red Hat Issues Fix) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Jul 31 2009 (Red Hat Issues Fix) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Jul 31 2009 (Red Hat Issues Fix) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Red Hat has released a fix for Red Hat Enterprise Linux 4.7 Extended Update Support.
Aug 5 2009 (Mozilla Issues Fix for Firefox) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Mozilla has issued a fix for Firefox.
Aug 12 2009 (Red Hat Issues Fix) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Red Hat has released a fix for Red Hat Enterprise Linux 5.2 Extended Update Support.
Aug 24 2009 (Mozilla Issues Fix for Thunderbird) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Mozilla has issued a fix for Thunderbird.
Sep 10 2009 (Red Hat Issues Fix for Mozilla Seamonkey) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Red Hat has released a fix for Mozilla Seamonkey for Red Hat Enterprise Linux 3.
Oct 13 2009 (Sun Issues Fix for Mozilla Thunderbird) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Sun has issued a fix for Mozilla Thunderbird for OpenSolaris.
Jan 7 2010 (VMware Issues Fix for ESX) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
VMware has issued a fix for VMware ESX 4.0.
Jun 10 2011 (Attachmate Issues Fix for Reflection for Secure IT) Network Security Services Library NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
Attachmate has issued a fix for Reflection for Secure IT.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC