In his upcoming Blackhat paper and presentation Dan Kaminsky highlights some more issues he has found relating to SSL hash collisions and related vulnerabilities. His second issue is all about inconsistencies in the interpretation of subject x509 names in certificates. Specifically "issue 2, attack 2c" regarding NULL terminators in a Common Name field. An attacker could create a malicious certificate containing a NULL, which, if they were able to get it signed, could confuse a client into accepting it by mistake. According to the paper this is said to affect Firefox.
This issue is fixed in upstream NSS 3.12.3 by the following bzs: Improper character escaping and unescaping in alg1485.c & secname.c https://bugzilla.mozilla.org/show_bug.cgi?id=480509 Must escape DER DNS names when converting to zStrings https://bugzilla.mozilla.org/show_bug.cgi?id=484111
This was also found by Moxie and presented in two talks at Blackhat last night. Moxie was able to get a CA to sign a certificate containing a NULL in the CN name. Removing embargo.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1184 https://rhn.redhat.com/errata/RHSA-2009-1184.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1186 https://rhn.redhat.com/errata/RHSA-2009-1186.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1190 https://rhn.redhat.com/errata/RHSA-2009-1190.html
Created attachment 355994 [details] backported mozbz#480509
Created attachment 355997 [details] backported mozbz#484111
This issue has been addressed in following products: Red Hat Enterprise Linux 5.2 Z Stream Via RHSA-2009:1207 https://rhn.redhat.com/errata/RHSA-2009-1207.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1432 https://rhn.redhat.com/errata/RHSA-2009-1432.html
This was fixed in all affected NSS versions in Red Hat Enterprise Linux 3, 4 and 5 and all current Fedora versions (F10+).