Summary
The host is installed with Mozilla Firefox browser and is prone to SSL server spoofing vulnerability.
Impact
Attackers can exploit this issue via specially crafted certificates to spoof arbitrary SSL servers.
Impact Level: Application
Solution
Upgrade to Mozilla Firefox version 3.5 or NSS version 3.12.3 or later.
For updates refer to http://www.mozilla.com/en-US/firefox/ http://www.mozilla.org/projects/security/pki/nss/tools/
Insight
- Lack of validation of domain name in a signed X.509 certificate lead to an error while processing a '\0' character in a domain name in the subject's common Name (CN) field.
- Lack of validation of the MD2 hash in a signed X.509 certificate can be exploited to generate fake intermediate SSL certificate that would be accepted as if it was authentic.
Affected
Mozilla Firefox versions prior to 3.5
NSS versions prior to 3.12.3 on Windows.
References
Severity
Classification
-
CVE CVE-2009-2408, CVE-2009-2409 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adobe LiveCycle Designer Untrusted Search Path Vulnerability (Windows)
- Adobe Reader Unspecified Vulnerability (Windows)
- Apple Safari Multiple Memory Corruption Vulnerabilities-02 Aug14 (Mac OS X)
- Apple Safari 'background' Remote Denial Of Service Vulnerability
- Adobe Reader Multiple Vulnerabilities - Aug07 (Mac OS X)