Shibboleth Service Provider NULL Character Spoofing Vulnerability (Win) Network Vulnerability

Summary

The host has Shibboleth Service Provider installed and is prone to NULL Character Spoofing vulnerability.

Impact

Successful exploitation could allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate by a legitimate Certification Authority. Impact Level: Application

Solution

Upgrade Shibboleth Service Provider version 1.3.3 or 2.2.1 or later http://shibboleth.internet2.edu/downloads.html

Insight

The flaw exists when using PKIX trust validation. The application does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate.

Affected

Shibboleth Service Provider version 1.3.x before 1.3.3 and 2.x before 2.2.1 on Windows.

References

http://secunia.com/advisories/36861/
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3475

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe Acrobat Multiple Unspecified Vulnerabilities - Windows
Aastra IP Telephone Hardcoded Telnet Password Security Bypass Vulnerability
Adobe Acrobat Multiple Vulnerabilities-01 Dec14 (Windows)
Adobe Acrobat Multiple Unspecified Vulnerabilities -01 Feb13 (Mac OS X)
3S CoDeSys CmpWebServer Multiple Vulnerabilities

Take action and discover your vulnerabilities