56723 : Mozilla Multiple Products Certificate Authority (CA) Common Name Null Byte Handling SSL MiTM Weakness
Printer | http://osvdb.org/56723 | Email This | Edit Vulnerability

Views This Week Views All Time Added to OSVDB Last Modified Modified (since 2008) Percent Complete
6 1713 over 2 years ago 7 months ago 20 times 25%

This Entry needs help! It is only 25% Complete. Click the edit link above to add more information.

Contributing is fast and easy, and benefits the entire security community.

Timeline
Disclosure Date Vendor Solution Date
2009-08-01 2009-08-01

Description

<em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2408" target="_blank">CVE</a>)</em> : Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Classification

 Location: Remote / Network Access
Attack Type: Cryptographic, Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Disclosure: Vendor Verified
OSVDB: Web Related

Products

Unknown or Incomplete

References

Tools & Filters
40664 40874
5113 5152 5227 5353

Credit

Unknown or Incomplete

CVSSv2 Score

CVSSv2 Base Score = 6.8
Source: nvd.nist.gov | Generated: 2009-07-31 | Disagree? | There are 1 more: View All

Access_vector_2 Access_complexity_1 Authentication_2 Confidentiality_impact_1 Integrity_impact_1 Availability_impact_1

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

2009/09/11 19:06:00 | [Full-disclosure] [ MDVSA-2009:197-2 ] nss

from: Full-Disclosure digest, knowledge base

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:197-2 http://www.mandriva.com/security/ _______________________________________________________________________ Package : nss Date : September 11, 2009 Affected: 2008.1 _______________________________________________________________________ Problem Description: Security issues in nss prior to 3.12.3

2009/09/11 18:27:00 | [Full-disclosure] [ MDVSA-2009:228 ] libneon

from: Full-Disclosure digest, knowledge base

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:228 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libneon Date : September 10, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0

2009/08/10 22:41:19 | Mandriva Linux Security Advisory 2009:197: nss

from: Open Source Pixels

Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409)…

2009/08/05 04:00:16 | USN-810-1: NSS vulnerabilities

from: Linuxine - Published news

Referenced CVEs:  CVE-2009-2404, CVE-2009-2408, CVE-2009-2409 Description:  =========================================================== Ubuntu Security Notice USN-810-1 August 04, 2009 nss vulnerabilities CVE-2009-2404, CVE-2009-2408, CVE-2009-2409 ===================== read more

2009/08/04 16:00:36 | Newly Revealed Mozilla Firefox Flaws Announced

from: Infosecurity.US

Mozilla Foundation has released new security advisories (and one patch for version 3.0) , focusing on serioius flaws exposed by security researchers (independently reported by Dan Kaminsky and Moxie Marlinspike ) at last week’s Blackhat confab . This time, what happens in Vegas did not stay in Vegas… The exploitable vulnerabilities, enumerated as  Mozilla Foundation Security Advisory 2009-42 and 2009-43 , cross referenced, respectively, in the MITRE CVE as CVE-2009-2408 and CVE-2009-2404 are fully mitigated by the application of the appropriate workarounds.

2009/08/04 06:23:07 | [USN-810-1] NSS vulnerabilities Posted on : 04-08-2009 | By : | In : Object

from: BUG.WEB.iD

Posted by Jamie Strandboge on Aug 4 Ubuntu Security Notice USN-810-1 August 04, 2009 nss vulnerabilities CVE-2009-2404, CVE-2009-2408, CVE-2009-2409 A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of…Here is the original post: [USN-810-1] NSS vulnerabilities

2009/07/31 01:00:49 | Security Updates | 2009-07-30

from: Slaptijack

I track security updates for the following vendors: Apple, Cisco, FreeBSD, Microsoft, Red Hat, and Sun Microsystems. I chose these vendors based on my own needs for the networks and systems I manage. I’ve also found that updates from these vendors tend to catch the major updates necessary for common software applications. If you have other vendors you would like me to provide updates for, send me a message . Red Hat, Inc.

Comments

Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2012 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use