National Cyber Awareness System

Vulnerability Summary for CVE-2009-2474

Overview

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: VUPEN

Name: ADV-2009-2341

Type: Advisory; Patch Information

Hyperlink:http://www.vupen.com/english/advisories/2009/2341

External Source: FEDORA

Name: FEDORA-2009-8815

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html

External Source: FEDORA

Name: FEDORA-2009-8794

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html

External Source: UBUNTU

Name: USN-835-1

Hyperlink:http://www.ubuntu.com/usn/usn-835-1

External Source: BID

Name: 36079

Hyperlink:http://www.securityfocus.com/bid/36079

External Source: MANDRIVA

Name: MDVSA-2009:221

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:221

External Source: CONFIRM

Name: http://support.apple.com/kb/HT4435

Hyperlink:http://support.apple.com/kb/HT4435

External Source: SECUNIA

Name: 36799

Hyperlink:http://secunia.com/advisories/36799

External Source: SECUNIA

Name: 36371

Type: Advisory

Hyperlink:http://secunia.com/advisories/36371

External Source: OVAL

Name: oval:org.mitre.oval:def:11721

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11721

External Source: MLIST

Name: [neon] 20090818 CVE-2009-2474: fix handling of NUL in SSL cert subject names

Hyperlink:http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html

External Source: MLIST

Name: [neon] 20090818 neon: release 0.28.6 (SECURITY)

Hyperlink:http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html

External Source: APPLE

Name: APPLE-SA-2010-11-10-1

Hyperlink:http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html

References to Check Content

Identifier:oval:org.mitre.oval:def:11721

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11721