National Vulnerability Database (NVD) National Vulnerability Database (CVE-2009-2409)

National Cyber Awareness System

Vulnerability Summary for CVE-2009-2409

Original release date:07/30/2009

Last revised:10/23/2012

Source: US-CERT/NIST

Overview

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.1 (MEDIUM) (AV:N/AC:H/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 4.9

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: High

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

Type: Patch Information

Hyperlink:http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

External Source: REDHAT

Name: RHSA-2010:0095

Hyperlink:https://rhn.redhat.com/errata/RHSA-2010-0095.html

External Source: MLIST

Name: [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released

Hyperlink:https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html

External Source: MLIST

Name: [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released

Hyperlink:https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409

External Source: VUPEN

Name: ADV-2010-3126

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2010/3126

External Source: VUPEN

Name: ADV-2009-3184

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/3184

External Source: VUPEN

Name: ADV-2009-2085

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/2085

External Source: CONFIRM

Name: http://www.vmware.com/security/advisories/VMSA-2010-0019.html

Hyperlink:http://www.vmware.com/security/advisories/VMSA-2010-0019.html

External Source: UBUNTU

Name: USN-810-2

Hyperlink:http://www.ubuntulinux.org/support/documentation/usn/usn-810-2

External Source: UBUNTU

Name: USN-810-1

Hyperlink:http://www.ubuntu.com/usn/usn-810-1

External Source: SECTRACK

Name: 1022631

Hyperlink:http://www.securitytracker.com/id?1022631

External Source: BUGTRAQ

Name: 20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/515055/100/0/threaded

External Source: REDHAT

Name: RHSA-2009:1432

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-1432.html

External Source: REDHAT

Name: RHSA-2009:1207

Hyperlink:http://www.redhat.com/support/errata/RHSA-2009-1207.html

External Source: MANDRIVA

Name: MDVSA-2010:084

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

External Source: MANDRIVA

Name: MDVSA-2009:258

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:258

External Source: MANDRIVA

Name: MDVSA-2009:216

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:216

External Source: MANDRIVA

Name: MDVSA-2009:197

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:197

External Source: DEBIAN

Name: DSA-1874

Hyperlink:http://www.debian.org/security/2009/dsa-1874

External Source: CONFIRM

Name: http://support.apple.com/kb/HT3937

Hyperlink:http://support.apple.com/kb/HT3937

External Source: GENTOO

Name: GLSA-200912-01

Hyperlink:http://security.gentoo.org/glsa/glsa-200912-01.xml

External Source: GENTOO

Name: GLSA-200911-02

Hyperlink:http://security.gentoo.org/glsa/glsa-200911-02.xml

External Source: SECUNIA

Name: 42467

Type: Advisory

Hyperlink:http://secunia.com/advisories/42467

External Source: SECUNIA

Name: 37386

Type: Advisory

Hyperlink:http://secunia.com/advisories/37386

External Source: SECUNIA

Name: 36739

Type: Advisory

Hyperlink:http://secunia.com/advisories/36739

External Source: SECUNIA

Name: 36669

Hyperlink:http://secunia.com/advisories/36669

External Source: SECUNIA

Name: 36434

Type: Advisory

Hyperlink:http://secunia.com/advisories/36434

External Source: SECUNIA

Name: 36157

Type: Advisory

Hyperlink:http://secunia.com/advisories/36157

External Source: SECUNIA

Name: 36139

Type: Advisory

Hyperlink:http://secunia.com/advisories/36139

External Source: OVAL

Name: oval:org.mitre.oval:def:8594

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8594

External Source: OVAL

Name: oval:org.mitre.oval:def:7155

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7155

External Source: OVAL

Name: oval:org.mitre.oval:def:6631

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6631

External Source: OVAL

Name: oval:org.mitre.oval:def:10763

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10763

External Source: DEBIAN

Name: DSA-1888

Hyperlink:http://lists.debian.org/debian-security-announce/2009/msg00209.html

External Source: APPLE

Name: APPLE-SA-2009-11-09-1

Type: Advisory

Hyperlink:http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

External Source: CONFIRM

Name: http://java.sun.com/javase/6/webnotes/6u17.html

Hyperlink:http://java.sun.com/javase/6/webnotes/6u17.html

References to Check Content

Identifier:oval:org.mitre.oval:def:8594

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:8594

Identifier:oval:org.mitre.oval:def:6631

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6631

Identifier:oval:org.mitre.oval:def:10763

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10763

Identifier:oval:org.mitre.oval:def:7155

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:7155

Vulnerable software and versions

Configuration 1

AND

* cpe:/a:mozilla:firefox

* cpe:/a:mozilla:nss:3.11.8

* cpe:/a:mozilla:nss:3.11.2

* cpe:/a:mozilla:nss:3.6

* cpe:/a:mozilla:nss:3.12

* cpe:/a:mozilla:nss:3.11.7

* cpe:/a:mozilla:nss:3.4

* cpe:/a:mozilla:nss:3.11.4

* cpe:/a:mozilla:nss:3.0

* cpe:/a:mozilla:firefox

* cpe:/a:mozilla:nss:3.12.2 and previous versions

* cpe:/a:mozilla:nss:3.12.1

* cpe:/a:mozilla:nss:3.5

* cpe:/a:mozilla:nss:3.4.2

* cpe:/a:mozilla:nss:3.4.3

* cpe:/a:mozilla:nss:3.4.1

* cpe:/a:mozilla:nss:3.6.1

* cpe:/a:mozilla:nss:3.10

* cpe:/a:mozilla:nss:3.9.5

* cpe:/a:mozilla:nss:3.9

* cpe:/a:mozilla:nss:3.7.7

* cpe:/a:mozilla:nss:3.7.5

* cpe:/a:mozilla:nss:3.7

* cpe:/a:mozilla:nss:3.7.1

* cpe:/a:mozilla:nss:3.7.2

* cpe:/a:mozilla:nss:3.7.3

* cpe:/a:mozilla:nss:3.8

* cpe:/a:mozilla:nss:3.3.2

* cpe:/a:mozilla:nss:3.3.1

* cpe:/a:mozilla:nss:3.3

* cpe:/a:mozilla:nss:3.2.1

* cpe:/a:mozilla:nss:3.2

Configuration 2

* cpe:/a:openssl:openssl:0.9.8k

* cpe:/a:openssl:openssl:0.9.8j

* cpe:/a:openssl:openssl:0.9.8i

* cpe:/a:openssl:openssl:0.9.8

* cpe:/a:openssl:openssl:0.9.8h

* cpe:/a:openssl:openssl:0.9.8g

* cpe:/a:openssl:openssl:0.9.8f

* cpe:/a:openssl:openssl:0.9.8e

* cpe:/a:openssl:openssl:0.9.8d

* cpe:/a:openssl:openssl:0.9.8c

* cpe:/a:openssl:openssl:0.9.8b

* cpe:/a:openssl:openssl:0.9.8a

Configuration 3

* cpe:/a:gnu:gnutls:1.0.23

* cpe:/a:gnu:gnutls:1.0.20

* cpe:/a:gnu:gnutls:1.0.21

* cpe:/a:gnu:gnutls:1.0.18

* cpe:/a:gnu:gnutls:1.0.19

* cpe:/a:gnu:gnutls:1.0.16

* cpe:/a:gnu:gnutls:1.0.17

* cpe:/a:gnu:gnutls:1.1.18

* cpe:/a:gnu:gnutls:1.1.19

* cpe:/a:gnu:gnutls:1.1.16

* cpe:/a:gnu:gnutls:1.1.17

* cpe:/a:gnu:gnutls:1.1.14

* cpe:/a:gnu:gnutls:1.1.15

* cpe:/a:gnu:gnutls:1.0.24

* cpe:/a:gnu:gnutls:1.0.25

* cpe:/a:gnu:gnutls:1.1.21

* cpe:/a:gnu:gnutls:1.1.20

* cpe:/a:gnu:gnutls:1.1.23

* cpe:/a:gnu:gnutls:1.1.22

* cpe:/a:gnu:gnutls:1.2.1

* cpe:/a:gnu:gnutls:1.2.0

* cpe:/a:gnu:gnutls:1.2.11

* cpe:/a:gnu:gnutls:1.2.10

* cpe:/a:gnu:gnutls:1.2.3

* cpe:/a:gnu:gnutls:1.2.2

* cpe:/a:gnu:gnutls:1.2.5

* cpe:/a:gnu:gnutls:1.2.4

* cpe:/a:gnu:gnutls:1.2.7

* cpe:/a:gnu:gnutls:1.2.6

* cpe:/a:gnu:gnutls:1.2.8.1a1

* cpe:/a:gnu:gnutls:1.2.8

* cpe:/a:gnu:gnutls:1.2.9

* cpe:/a:gnu:gnutls:1.3.0

* cpe:/a:gnu:gnutls:1.3.1

* cpe:/a:gnu:gnutls:1.3.2

* cpe:/a:gnu:gnutls:1.3.3

* cpe:/a:gnu:gnutls:1.3.4

* cpe:/a:gnu:gnutls:1.3.5

* cpe:/a:gnu:gnutls:1.4.0

* cpe:/a:gnu:gnutls:1.4.1

* cpe:/a:gnu:gnutls:1.4.5

* cpe:/a:gnu:gnutls:1.6.3

* cpe:/a:gnu:gnutls:1.7.14

* cpe:/a:gnu:gnutls:2.2.2

* cpe:/a:gnu:gnutls:1.7.15

* cpe:/a:gnu:gnutls:2.2.1

* cpe:/a:gnu:gnutls:1.7.12

* cpe:/a:gnu:gnutls:2.2.0

* cpe:/a:gnu:gnutls:1.7.13

* cpe:/a:gnu:gnutls:2.0.4

* cpe:/a:gnu:gnutls:1.1.13

* cpe:/a:gnu:gnutls:1.7.18

* cpe:/a:gnu:gnutls:1.7.19

* cpe:/a:gnu:gnutls:2.2.5

* cpe:/a:gnu:gnutls:1.7.16

* cpe:/a:gnu:gnutls:2.2.4

* cpe:/a:gnu:gnutls:1.7.17

* cpe:/a:gnu:gnutls:2.2.3

* cpe:/a:gnu:gnutls:1.5.0

* cpe:/a:gnu:gnutls:2.0.2

* cpe:/a:gnu:gnutls:1.4.4

* cpe:/a:gnu:gnutls:2.0.3

* cpe:/a:gnu:gnutls:1.4.3

* cpe:/a:gnu:gnutls:2.0.0

* cpe:/a:gnu:gnutls:1.4.2

* cpe:/a:gnu:gnutls:2.0.1

* cpe:/a:gnu:gnutls:1.5.4

* cpe:/a:gnu:gnutls:2.1.2

* cpe:/a:gnu:gnutls:1.5.3

* cpe:/a:gnu:gnutls:2.1.3

* cpe:/a:gnu:gnutls:1.5.2

* cpe:/a:gnu:gnutls:2.1.0

* cpe:/a:gnu:gnutls:1.5.1

* cpe:/a:gnu:gnutls:2.1.1

* cpe:/a:gnu:gnutls:1.6.1

* cpe:/a:gnu:gnutls:2.1.7

* cpe:/a:gnu:gnutls:1.6.2

* cpe:/a:gnu:gnutls:2.1.6

* cpe:/a:gnu:gnutls:1.5.5

* cpe:/a:gnu:gnutls:2.1.5

* cpe:/a:gnu:gnutls:1.6.0

* cpe:/a:gnu:gnutls:2.1.4

* cpe:/a:gnu:gnutls:1.7.2

* cpe:/a:gnu:gnutls:1.7.3

* cpe:/a:gnu:gnutls:2.3.1

* cpe:/a:gnu:gnutls:1.7.0

* cpe:/a:gnu:gnutls:2.3.0

* cpe:/a:gnu:gnutls:1.7.1

* cpe:/a:gnu:gnutls:2.1.8

* cpe:/a:gnu:gnutls:1.7.6

* cpe:/a:gnu:gnutls:1.7.7

* cpe:/a:gnu:gnutls:1.7.4

* cpe:/a:gnu:gnutls:1.7.5

* cpe:/a:gnu:gnutls:1.7.10

* cpe:/a:gnu:gnutls:2.3.10

* cpe:/a:gnu:gnutls:1.7.11

* cpe:/a:gnu:gnutls:1.7.8

* cpe:/a:gnu:gnutls:1.7.9

* cpe:/a:gnu:gnutls:2.6.3 and previous versions

* cpe:/a:gnu:gnutls:2.6.2

* cpe:/a:gnu:gnutls:2.6.1

* cpe:/a:gnu:gnutls:2.6.0

* cpe:/a:gnu:gnutls:2.5.0

* cpe:/a:gnu:gnutls:2.4.2

* cpe:/a:gnu:gnutls:2.4.1

* cpe:/a:gnu:gnutls:2.4.0

* cpe:/a:gnu:gnutls:2.3.9

* cpe:/a:gnu:gnutls:2.3.8

* cpe:/a:gnu:gnutls:2.3.7

* cpe:/a:gnu:gnutls:2.3.6

* cpe:/a:gnu:gnutls:2.3.5

* cpe:/a:gnu:gnutls:2.3.4

* cpe:/a:gnu:gnutls:2.3.3

* cpe:/a:gnu:gnutls:2.3.2

* cpe:/a:gnu:gnutls:2.3.11

* cpe:/a:gnu:gnutls:1.0.22

* cpe:/a:gnu:gnutls:2.7.4

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Cryptographic Issues (CWE-310)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409