PT-2009-4834 · Mozilla+1 · Firefox+4
Dan Kaminsky
+1
·
Publicado
2009-07-30
·
Atualizado
2024-02-14
·
CVE-2009-2408
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Mozilla Network Security Services (NSS) versions prior to 3.12.3
Firefox versions prior to 3.0.13
Thunderbird versions prior to 2.0.0.23
SeaMonkey versions prior to 1.1.18
Description
The issue arises from improper handling of a '0' character in a domain name within the subject's Common Name (CN) field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Recommendations
For Mozilla Network Security Services (NSS) versions prior to 3.12.3, update to version 3.12.3 or later.
For Firefox versions prior to 3.0.13, update to version 3.0.13 or later.
For Thunderbird versions prior to 2.0.0.23, update to version 2.0.0.23 or later.
For SeaMonkey versions prior to 1.1.18, update to version 1.1.18 or later.
Correção
Improper Certificate Validation
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Firefox
Network Security Services
Red Hat
Seamonkey
Thunderbird