Moxie Marlinspike
Not affected: fetchmail release 6.3.11 and newer
Corrected: 2009-08-04 fetchmail SVN (rev 5389)
References: "Null Prefix Attacks Against SSL/TLS Certificates",
Moxie Marlinspike, 2009-07-29, Defcon 17, Blackhat 09.
CVE-2009-2408, Mozilla Firefox <3.5 and NSS <3.12.3
improper handling of '\0' characters in domain names in
the Subject CN field of X.509 certificates.
After a standard system upgrade you need to restart an applications that
use NSS, such as Firefox, to effect the necessary changes.
Details follow:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2009-2408
Dan Kaminsky and Moxie Marlinspike discovered that icedove does not
properly handle a '\0' character in a domain name in the subject's
Common Name (CN) field of an X.509 certificate (MFSA 2009-42).
CVE-2009-2404
We apologize for the inconvenience.
Original advisory details:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
USN-810-1 fixed vulnerabilities in NSS. This update provides the NSPR
needed to use the new NSS.
Original advisory details:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
It is possible to execute arbitrary code via vectors related to the
JavaScript engine. (MFSA 2009-01)
CVE-2009-0652
Bjoern Hoehrmann and Moxie Marlinspike discovered a possible spoofing
attack via Unicode box drawing characters in internationalized domain
names. (MFSA 2009-15)
CVE-2009-0771
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2009-0652
Moxie Marlinspike discovered that Unicode box drawing characters inside of
internationalised domain names could be used for phishing attacks.
CVE-2009-1302
Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Moxie Marlinspike discovered that fetchmail did not properly handle
certificates with NULL characters in the certificate name. A remote
attacker could exploit this to perform a man in the middle attack to
view sensitive information or alter encrypted communications.
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2730)
* The vendor reported that Fetchmail does not properly handle Common
Name (CN) fields in X.509 certificates that contain an ASCII NUL
character. Specifically, the processing of such fields is stopped at
the first occurrence of a NUL character. This type of vulnerability
was recently discovered by Dan Kaminsky and Moxie Marlinspike
(CVE-2009-2666).
Impact
======
Have something important to say about software security? The OWASP AppSec USA 2011 Call for Papers is still open. We're looking for hardcore talks in cloud security, mobile security, new attacks & defenses, and straight up software development platforms. Get your submission in before time runs out. And have your developer friends submit a talk!
http://www.appsecusa.org/talks.html
The AppSec USA 2011 talks will be delivered September 22-23, 2011 in Minneapolis, Minnesota. In addition to the talks, we'll have excellent keynotes like Moxie Marlinspike.
*** CAPTURE THE FLAG PRE-CONFERENCE CHALLENGE #2 ***
Last month ChrisKarel won pre-conference challenge #1 for a pass to the OWASP AppSec USA 2011 talks. Congratulations, ChrisKarel!
Problem type : remote
Debian-specific: no
Debian bug : 546212
CVE ID : CVE-2009-2702
Dan Kaminsky and Moxie Marlinspike discovered that kdelibs, core libraries from
the official KDE release, does not properly handle a '\0' character in a domain
name in the Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority.
could call window.open() on an invalid URL which looks similar to a
legitimate URL and then use document.write() to place content within
the new document, appearing to have come from the spoofed location
(CVE-2009-2654).
Moxie Marlinspike reported a heap overflow vulnerability in the
code that handles regular expressions in certificate names. This
vulnerability could be used to compromise the browser and run arbitrary
code by presenting a specially crafted certificate to the client
(CVE-2009-2404).
The vendor reported that Wget does not properly handle Common Name (CN)
fields in X.509 certificates that contain an ASCII NUL (\0) character.
Specifically, the processing of such fields is stopped at the first
occurrence of a NUL character. This type of vulnerability was recently
discovered by Dan Kaminsky and Moxie Marlinspike.
Impact
======
A remote attacker might employ a specially crafted X.509 certificate,
Scott Cantor reported that cURL does not properly handle fields in
X.509 certificates that contain an ASCII NUL (\0) character.
Specifically, the processing of such fields is stopped at the first
occurence of a NUL character. This type of vulnerability was recently
discovered by Dan Kaminsky and Moxie Marlinspike.
Impact
======
A remote attacker might employ a specially crafted X.509 certificate
Debian-specific: no
Debian bug : 541439
CVE Ids : CVE-2009-2409 CVE-2009-2730
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of
the TLS/SSL protocol, does not properly handle a '\0' character in a domain name
in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority. (CVE-2009-2730)
Service libraries. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2009-2404
Moxie Marlinspike discovered that a buffer overflow in the regular
expression parser could lead to the execution of arbitrary code.
CVE-2009-2408
Dan Kaminsky discovered that NULL characters in certificate
* The Grugq (PSP)
* Dhillon Kannabhiran (HITB)
* Kostya Kortchinsky (Immunity)
* Itzik Kotler (Radware)
* Philippe Langlois (P1 Telecom Security, PSP, TSTF, /tmp/lab)
* Moxie Marlinspike (Institute for Disruptive Studies)
* Karsten Nohl (deGate, Reflextor)
* Nicolas Thill (OpenWRT, /tmp/lab)
* Julien Tinnes (Google)
* Nicolas Ruff (EADS, Security Labs)
* Carlos Sarraute (CORE Security Technologies)
|
