Bug 510251 (CVE-2009-2408) - CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
Summary: CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2408
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 230399 514474 514916 565580 565581 565584 565585 582839
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-08 13:40 UTC by Mark J. Cox
Modified: 2019-09-29 12:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-13 13:30:35 UTC
Embargoed:


Attachments (Terms of Use)
backported mozbz#480509 (23.81 KB, patch)
2009-08-03 10:52 UTC, Martin Stransky
no flags Details | Diff
backported mozbz#484111 (2.25 KB, patch)
2009-08-03 10:53 UTC, Martin Stransky
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1184 0 normal SHIPPED_LIVE Critical: nspr and nss security and bug fix update 2009-07-30 22:09:52 UTC
Red Hat Product Errata RHSA-2009:1186 0 normal SHIPPED_LIVE Critical: nspr and nss security, bug fix, and enhancement update 2009-07-30 22:20:02 UTC
Red Hat Product Errata RHSA-2009:1190 0 normal SHIPPED_LIVE Critical: nspr and nss security and bug fix update 2009-07-31 14:31:31 UTC
Red Hat Product Errata RHSA-2009:1207 0 normal SHIPPED_LIVE Critical: nspr and nss security update 2009-08-12 14:31:10 UTC
Red Hat Product Errata RHSA-2009:1432 0 normal SHIPPED_LIVE Critical: seamonkey security update 2009-09-09 23:50:33 UTC

Description Mark J. Cox 2009-07-08 13:40:23 UTC
In his upcoming Blackhat paper and presentation Dan Kaminsky
highlights some more issues he has found relating to SSL hash
collisions and related vulnerabilities.

His second issue is all about inconsistencies in the interpretation of subject
x509 names in certificates.  Specifically "issue 2, attack 2c" regarding NULL terminators in a Common Name field.  An attacker could create a malicious certificate containing a NULL, which, if they were able to get it signed, could confuse a client into accepting it by mistake.

According to the paper this is said to affect Firefox.

Comment 1 Mark J. Cox 2009-07-27 07:52:50 UTC
This issue is fixed in upstream NSS 3.12.3 by the following bzs:

        Improper character escaping and unescaping in alg1485.c & secname.c
        https://bugzilla.mozilla.org/show_bug.cgi?id=480509

        Must escape DER DNS names when converting to zStrings
        https://bugzilla.mozilla.org/show_bug.cgi?id=484111

Comment 4 Mark J. Cox 2009-07-30 07:58:09 UTC
This was also found by Moxie and presented in two talks at Blackhat last night.  Moxie was able to get a CA to sign a certificate containing a NULL in the CN name.

Removing embargo.

Comment 5 errata-xmlrpc 2009-07-30 22:09:58 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1184 https://rhn.redhat.com/errata/RHSA-2009-1184.html

Comment 6 errata-xmlrpc 2009-07-30 22:20:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1186 https://rhn.redhat.com/errata/RHSA-2009-1186.html

Comment 8 errata-xmlrpc 2009-07-31 14:31:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1190 https://rhn.redhat.com/errata/RHSA-2009-1190.html

Comment 9 Martin Stransky 2009-08-03 10:52:01 UTC
Created attachment 355994 [details]
backported mozbz#480509

Comment 10 Martin Stransky 2009-08-03 10:53:29 UTC
Created attachment 355997 [details]
backported mozbz#484111

Comment 11 errata-xmlrpc 2009-08-12 14:31:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1207 https://rhn.redhat.com/errata/RHSA-2009-1207.html

Comment 15 errata-xmlrpc 2009-09-09 23:50:53 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1432 https://rhn.redhat.com/errata/RHSA-2009-1432.html

Comment 16 Tomas Hoger 2009-10-13 13:30:35 UTC
This was fixed in all affected NSS versions in Red Hat Enterprise Linux 3, 4 and 5 and all current Fedora versions (F10+).


Note You need to log in before you can comment on or make changes to this bug.