PT-2009-4834 · Mozilla+1 · Firefox+4
Dan Kaminsky
+1
·
Published
2009-07-30
·
Updated
2024-02-14
·
CVE-2009-2408
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Mozilla Network Security Services (NSS) versions prior to 3.12.3
Firefox versions prior to 3.0.13
Thunderbird versions prior to 2.0.0.23
SeaMonkey versions prior to 1.1.18
Description
The issue arises from improper handling of a '0' character in a domain name within the subject's Common Name (CN) field of an X.509 certificate. This allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Recommendations
For Mozilla Network Security Services (NSS) versions prior to 3.12.3, update to version 3.12.3 or later.
For Firefox versions prior to 3.0.13, update to version 3.0.13 or later.
For Thunderbird versions prior to 2.0.0.23, update to version 2.0.0.23 or later.
For SeaMonkey versions prior to 1.1.18, update to version 1.1.18 or later.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Firefox
Network Security Services
Red Hat
Seamonkey
Thunderbird