Vulnerabilities > CVE-2009-2408 - Improper Certificate Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Exploit-Db
| description | Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability. CVE-2009-2408. Remote exploit for linux platform |
| id | EDB-ID:33128 |
| last seen | 2016-02-03 |
| modified | 2009-06-30 |
| published | 2009-06-30 |
| reporter | Dan Kaminsky |
| source | https://www.exploit-db.com/download/33128/ |
| title | Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-006.NASL description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 42433 published 2009-11-09 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42433 title Mac OS X Multiple Vulnerabilities (Security Update 2009-006) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(42433); script_version("1.27"); script_cve_id( "CVE-2007-5707", "CVE-2007-6698", "CVE-2008-0658", "CVE-2008-5161", "CVE-2009-0023", "CVE-2009-1191", "CVE-2009-1195", "CVE-2009-1574", "CVE-2009-1632", "CVE-2009-1890", "CVE-2009-1891", "CVE-2009-1955", "CVE-2009-1956", "CVE-2009-2408", "CVE-2009-2409", "CVE-2009-2411", "CVE-2009-2412", "CVE-2009-2414", "CVE-2009-2416", "CVE-2009-2666", "CVE-2009-2808", "CVE-2009-2818", "CVE-2009-2819", "CVE-2009-2820", "CVE-2009-2823", "CVE-2009-2824", "CVE-2009-2825", "CVE-2009-2826", "CVE-2009-2827", "CVE-2009-2828", "CVE-2009-2829", "CVE-2009-2831", "CVE-2009-2832", "CVE-2009-2833", "CVE-2009-2834", "CVE-2009-2837", "CVE-2009-2838", "CVE-2009-2839", "CVE-2009-2840", "CVE-2009-3111", "CVE-2009-3291", "CVE-2009-3292", "CVE-2009-3293" ); script_bugtraq_id( 26245, 27778, 34663, 35115, 35221, 35251, 35565, 35623, 35888, 35983, 36263, 36449, 36959, 36961, 36962, 36963, 36964, 36966, 36967, 36972, 36973, 36975, 36977, 36978, 36979, 36982, 36985, 36988, 36990 ); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-006)"); script_summary(english:"Check for the presence of Security Update 2009-006"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied. This security update contains fixes for the following products : - AFP Client - Adaptive Firewall - Apache - Apache Portable Runtime - ATS - Certificate Assistant - CoreGraphics - CUPS - Dictionary - DirectoryService - Disk Images - Event Monitor - fetchmail - FTP Server - Help Viewer - International Components for Unicode - IOKit - IPSec - libsecurity - libxml - OpenLDAP - OpenSSH - PHP - QuickDraw Manager - QuickLook - FreeRADIUS - Screen Sharing - Spotlight - Subversion" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3937" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html" ); script_set_attribute( attribute:"see_also", value:"http://www.securityfocus.com/advisories/18255" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2009-006 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(16, 20, 79, 119, 189, 200, 255, 264, 310, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/09"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if (!uname) exit(1, "The 'Host/uname' KB item is missing."); pat = "^.+Darwin.* ([0-9]+\.[0-9.]+).*$"; if (!ereg(pattern:pat, string:uname)) exit(1, "Can't identify the Darwin kernel version from the uname output ("+uname+")."); darwin = ereg_replace(pattern:pat, replace:"\1", string:uname); if (ereg(pattern:"^(9\.[0-8]\.)", string:darwin)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing."); if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[6-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages)) exit(0, "The host has Security Update 2009-006 or later installed and therefore is not affected."); else security_hole(0); } else exit(0, "The host is running Darwin kernel version "+darwin+" and therefore is not affected.");NASL family AIX Local Security Checks NASL id AIX_IZ72837.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63813 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63813 title AIX 5.3 TL 11 : sendmail (IZ72837) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-203.NASL description A vulnerability has been found and corrected in curl : lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 40597 published 2009-08-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40597 title Mandriva Linux Security Advisory : curl (MDVSA-2009:203-1) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBNEON-DEVEL-091012.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers (CVE-2009-2408). Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory (CVE-2009-2473). last seen 2020-06-01 modified 2020-06-02 plugin id 42315 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42315 title openSUSE Security Update : libneon-devel (libneon-devel-1377) NASL family SuSE Local Security Checks NASL id SUSE_MUTT-6484.NASL description This update of mutt improves the handling of the \0 character in SSL certificates. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41559 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41559 title SuSE 10 Security Update : mutt (ZYPP Patch Number 6484) NASL family SuSE Local Security Checks NASL id SUSE_11_0_MUTT-090909.NASL description This update of mutt improves the handling of the \0 character in SSL certificates. (CVE-2009-2408 ) last seen 2020-06-01 modified 2020-06-02 plugin id 41036 published 2009-09-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41036 title openSUSE Security Update : mutt (mutt-1298) NASL family Scientific Linux Local Security Checks NASL id SL_20090909_SEAMONKEY_ON_SL3_X.NASL description CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-2408 firefox/nss: doesn last seen 2020-06-01 modified 2020-06-02 plugin id 60665 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60665 title Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1874.NASL description Several vulnerabilities have been discovered in the Network Security Service libraries. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-2404 Moxie Marlinspike discovered that a buffer overflow in the regular expression parser could lead to the execution of arbitrary code. - CVE-2009-2408 Dan Kaminsky discovered that NULL characters in certificate names could lead to man-in-the-middle attacks by tricking the user into accepting a rogue certificate. - CVE-2009-2409 Certificates with MD2 hash signatures are no longer accepted since they last seen 2020-06-01 modified 2020-06-02 plugin id 44739 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44739 title Debian DSA-1874-1 : nss - several vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-221.NASL description Multiple vulnerabilities has been found and corrected in libneon0.27 : neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564 (CVE-2009-2473). neon before 0.28.6, when OpenSSL is used, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 40764 published 2009-08-25 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40764 title Mandriva Linux Security Advisory : libneon0.27 (MDVSA-2009:221) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1428.NASL description According to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.(CVE-2012-4466) - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090) - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.(CVE-2013-4287) - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.(CVE-2014-8080) - The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a last seen 2020-03-17 modified 2019-05-14 plugin id 124931 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124931 title EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-288.NASL description A vulnerability has been identified and corrected in proftpd : The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 42240 published 2009-10-26 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42240 title Mandriva Linux Security Advisory : proftpd (MDVSA-2009:288) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1432.NASL description Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Dan Kaminsky discovered flaws in the way browsers such as SeaMonkey handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by SeaMonkey, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse SeaMonkey into accepting it by mistake. (CVE-2009-2408) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user last seen 2020-06-01 modified 2020-06-02 plugin id 40923 published 2009-09-10 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40923 title RHEL 3 : seamonkey (RHSA-2009:1432) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBNEON-DEVEL-091012.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers (CVE-2009-2408). Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory (CVE-2009-2473). last seen 2020-06-01 modified 2020-06-02 plugin id 42317 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42317 title openSUSE Security Update : libneon-devel (libneon-devel-1377) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1432.NASL description From Red Hat Security Advisory 2009:1432 : Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Dan Kaminsky discovered flaws in the way browsers such as SeaMonkey handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by SeaMonkey, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse SeaMonkey into accepting it by mistake. (CVE-2009-2408) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user last seen 2020-06-01 modified 2020-06-02 plugin id 67924 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67924 title Oracle Linux 3 : seamonkey (ELSA-2009-1432) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1544.NASL description According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 124997 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124997 title EulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1544) NASL family SuSE Local Security Checks NASL id SUSE_MOZILLATHUNDERBIRD-6493.NASL description Mozilla Thunderbird was updated to version 2.0.0.23. The release fixes one security issue: MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. last seen 2020-06-01 modified 2020-06-02 plugin id 41986 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41986 title openSUSE 10 Security Update : MozillaThunderbird (MozillaThunderbird-6493) NASL family SuSE Local Security Checks NASL id SUSE_OPENLDAP2-6485.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subjects name. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41566 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41566 title SuSE 10 Security Update : OpenLDAP2 (ZYPP Patch Number 6485) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0008_PYTHON.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has python packages installed that are affected by multiple vulnerabilities: - Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. (CVE-2007-4965) - Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context- dependent attackers to defeat cryptographic digests, related to partial hashlib hashing of data exceeding 4GB. (CVE-2008-2316) - Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. (CVE-2008-5983) - Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context- dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. (CVE-2010-1634) - The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one- byte string, a different vulnerability than CVE-2010-1634. (CVE-2010-2089) - The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 127154 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127154 title NewStart CGSL MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0008) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-026.NASL description A vulnerability was discovered and corrected in openldap : libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 44321 published 2010-01-27 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44321 title Mandriva Linux Security Advisory : openldap (MDVSA-2010:026) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBFREEBL3-090812.NASL description The Mozilla NSS security framework was updated to version 3.12.3.1. CVE-2009-2404 / MFSA 2009-43 : Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 40652 published 2009-08-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40652 title openSUSE Security Update : libfreebl3 (libfreebl3-1201) NASL family SuSE Local Security Checks NASL id SUSE_11_MUTT-090909.NASL description This update of mutt improves the handling of the \0 character in SSL certificates. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41438 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41438 title SuSE 11 Security Update : mutt (SAT Patch Number 1291) NASL family SuSE Local Security Checks NASL id SUSE_MUTT-6487.NASL description This update of mutt improves the handling of the \0 character in SSL certificates. (CVE-2009-2408 ) last seen 2020-06-01 modified 2020-06-02 plugin id 42023 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42023 title openSUSE 10 Security Update : mutt (mutt-6487) NASL family SuSE Local Security Checks NASL id SUSE_11_1_MUTT-090909.NASL description This update of mutt improves the handling of the \0 character in SSL certificates. (CVE-2009-2408 ) last seen 2020-06-01 modified 2020-06-02 plugin id 41042 published 2009-09-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41042 title openSUSE Security Update : mutt (mutt-1298) NASL family AIX Local Security Checks NASL id AIX_IZ70637.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63799 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63799 title AIX 6.1 TL 4 : sendmail (IZ70637) NASL family SuSE Local Security Checks NASL id SUSE_MOZILLA-NSPR-6541.NASL description The Mozilla NSS security framework was updated to version 3.12.3.1. - Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 42190 published 2009-10-20 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42190 title SuSE 10 Security Update : Mozilla NSS (ZYPP Patch Number 6541) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1207.NASL description Updated nspr and nss packages that fix security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) All users of nspr and nss are advised to upgrade to these updated packages, which resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 63889 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63889 title RHEL 5 : nspr and nss (RHSA-2009:1207) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-197.NASL description Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate (CVE-2009-2404). This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 40522 published 2009-08-10 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40522 title Mandriva Linux Security Advisory : nss (MDVSA-2009:197-3) NASL family SuSE Local Security Checks NASL id SUSE9_12521.NASL description seamonkey was updated to version 1.1.18, fixing various security issues : - Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. (MFSA 2009-43 / CVE-2009-2404) - IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem. (MFSA 2009-42 / CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 42200 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42200 title SuSE9 Security Update : epiphany (YOU Patch Number 12521) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1431.NASL description Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user last seen 2020-06-01 modified 2020-06-02 plugin id 40933 published 2009-09-11 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40933 title CentOS 4 : seamonkey (CESA-2009:1431) NASL family SuSE Local Security Checks NASL id SUSE_11_MOZILLATHUNDERBIRD-090915.NASL description Mozilla Thunderbird was updated to version 2.0.0.23. The release fixes one security issue: MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. last seen 2020-06-01 modified 2020-06-02 plugin id 64209 published 2013-01-25 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64209 title SuSE 11 Security Update : Mozilla (SAT Patch Number 1304) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1434.NASL description According to the versions of the python packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that Python last seen 2020-06-01 modified 2020-06-02 plugin id 124937 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124937 title EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434) NASL family MacOS X Local Security Checks NASL id MACOSX_10_6_2.NASL description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.2. Mac OS X 10.6.2 contains security fixes for the following products : - Adaptive Firewall - Apache - Apache Portable Runtime - Certificate Assistant - CoreMedia - CUPS - Dovecot - fetchmail - file - FTP Server - Help Viewer - ImageIO - IOKit - IPSec - Kernel - Launch Services - libsecurity - libxml - Login Window - OpenLDAP - QuickDraw Manager - QuickTime - Screen Sharing - Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 42434 published 2009-11-09 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42434 title Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-162.NASL description Multiple vulnerabilities was discovered and corrected in kdelibs4 : KDE KSSL in kdelibs does not properly handle a \ last seen 2020-06-01 modified 2020-06-02 plugin id 56687 published 2011-11-02 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56687 title Mandriva Linux Security Advisory : kdelibs4 (MDVSA-2011:162) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-206.NASL description A vulnerability has been found and corrected in wget : GNU Wget before 1.12 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 40638 published 2009-08-20 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40638 title Mandriva Linux Security Advisory : wget (MDVSA-2009:206-1) NASL family AIX Local Security Checks NASL id AIX_IZ72834.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63810 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63810 title AIX 5.3 TL 8 : sendmail (IZ72834) NASL family SuSE Local Security Checks NASL id SUSE_11_LIBLDAP-2_4-2-090915.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subjects name. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41420 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41420 title SuSE 11 Security Update : OpenLDAP2 (SAT Patch Number 1290) NASL family SuSE Local Security Checks NASL id SUSE9_12505.NASL description This update of mutt improves the handling of the \0 character in SSL certificates. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41326 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41326 title SuSE9 Security Update : mutt (YOU Patch Number 12505) NASL family AIX Local Security Checks NASL id AIX_IZ72528.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63809 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63809 title AIX 6.1 TL 1 : sendmail (IZ72528) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-027.NASL description Multiple vulnerabilities was discovered and corrected in kdelibs4 : KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 48170 published 2010-07-30 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/48170 title Mandriva Linux Security Advisory : kdelibs4 (MDVSA-2010:027) NASL family SuSE Local Security Checks NASL id SUSE_NEON-6548.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers. (CVE-2009-2408) Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory. (CVE-2009-2473) last seen 2020-06-01 modified 2020-06-02 plugin id 42303 published 2009-10-29 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42303 title SuSE 10 Security Update : neon (ZYPP Patch Number 6548) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1186.NASL description Updated nspr and nss packages that fix security issues, bugs, and add an enhancement are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. The packages with this update are identical to the packages released by RHBA-2009:1161 on the 20th of July 2009. They are being reissued as a Red Hat Security Advisory as they fixed a number of security issues that were made public today. If you are installing these packages for the first time, they also provide a number of bug fixes and add an enhancement, as detailed in RHBA-2009:1161. Since the packages are identical, there is no need to install this update if RHBA-2009:1161 has already been installed. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) All users of nspr and nss are advised to upgrade to these updated packages, which resolve these issues and add an enhancement. last seen 2020-06-01 modified 2020-06-02 plugin id 40441 published 2009-07-31 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40441 title RHEL 5 : nspr and nss (RHSA-2009:1186) NASL family AIX Local Security Checks NASL id AIX_IZ72515.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63808 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63808 title AIX 6.1 TL 2 : sendmail (IZ72515) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-195.NASL description Multiple vulnerabilities has been found and corrected in libesmtp : libESMTP, probably 1.0.4 and earlier, does not properly handle a \ last seen 2020-06-01 modified 2020-06-02 plugin id 49742 published 2010-10-06 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49742 title Mandriva Linux Security Advisory : libesmtp (MDVSA-2010:195) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-220.NASL description The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 70224 published 2013-10-01 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70224 title Amazon Linux AMI : python27 (ALAS-2013-220) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-241.NASL description It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 70903 published 2013-11-14 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70903 title Amazon Linux AMI : python26 (ALAS-2013-241) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBFREEBL3-090812.NASL description The Mozilla NSS security framework was updated to version 3.12.3.1. CVE-2009-2404 / MFSA 2009-43 : Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 40645 published 2009-08-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40645 title openSUSE Security Update : libfreebl3 (libfreebl3-1201) NASL family Scientific Linux Local Security Checks NASL id SL_20090731_NSPR_AND_NSS_FOR_SL_5_X.NASL description CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-2408 firefox/nss: doesn last seen 2020-06-01 modified 2020-06-02 plugin id 60632 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60632 title Scientific Linux Security Update : nspr and nss for SL 5.x on i386/x86_64 NASL family Solaris Local Security Checks NASL id SOLARIS11_RUBY_20130924.NASL description The remote Solaris system is missing necessary patches to address security updates : - The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. (CVE-2011-1005) - The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. (CVE-2012-4481) - The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 80755 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80755 title Oracle Solaris Third-Party Patch Update : ruby (cve_2013_4073_cryptographic_issues) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-217.NASL description A number of security vulnerabilities have been discovered in Mozilla Thunderbird : Security issues in thunderbird could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408). A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625 (CVE-2009-3720). This update provides the latest version of Thunderbird which are not vulnerable to these issues. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 40701 published 2009-08-24 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40701 title Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2009:217-3) NASL family SuSE Local Security Checks NASL id SUSE_SEAMONKEY-6538.NASL description seamonkey was updated to version 1.1.18, fixing various security issues : MFSA 2009-43 / CVE-2009-2404 Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem. The update also contains the fixes from the skipped 1.1.17 security update: MFSA 2009-17/CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme MFSA 2009-21/CVE-2009-1311:POST data sent to wrong site when saving web page with embedded frame MFSA 2009-24/CVE-2009-1392/CVE-2009-1832/CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11) MFSA 2009-26/CVE-2009-1835: Arbitrary domain cookie access by local file: resources MFSA 2009-27/CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests MFSA 2009-29/CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null MFSA 2009-32/CVE-2009-1841: JavaScript chrome privilege escalation MFSA 2009-33/CVE-2009-2210: Crash viewing multipart/alternative message with text/enhanced part last seen 2020-06-01 modified 2020-06-02 plugin id 42327 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42327 title openSUSE 10 Security Update : seamonkey (seamonkey-6538) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E7BC5600EAA011DEBD9C00215C6A37BB.NASL description PostgreSQL project reports : PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 43177 published 2009-12-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43177 title FreeBSD : postgresql -- multiple vulnerabilities (e7bc5600-eaa0-11de-bd9c-00215c6a37bb) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0001_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - Network Security Services (NSS) - NetScape Portable Runtime (NSPR) last seen 2020-06-01 modified 2020-06-02 plugin id 89735 published 2016-03-08 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89735 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0001) (remote check) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1184.NASL description Updated nspr and nss packages that fix security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) These version upgrades also provide a fix for the following bug : * SSL client authentication failed against an Apache server when it was using the mod_nss module and configured for NSSOCSP. On the client side, the user agent received an error message that referenced last seen 2020-06-01 modified 2020-06-02 plugin id 40439 published 2009-07-31 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40439 title RHEL 4 : nspr and nss (RHSA-2009:1184) NASL family SuSE Local Security Checks NASL id SUSE_OPENLDAP2-6598.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subjects name. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 49906 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49906 title SuSE 10 Security Update : OpenLDAP 2 (ZYPP Patch Number 6598) NASL family Windows NASL id MOZILLA_THUNDERBIRD_20023.NASL description The installed version of Thunderbird is earlier than 2.0.0.23. Such versions are potentially affected by the following security issue : - The client can be fooled into trusting a malicious SSL server certificate with a null character in the host name. (MFSA 2009-42) last seen 2020-06-01 modified 2020-06-02 plugin id 40664 published 2009-08-21 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40664 title Mozilla Thunderbird < 2.0.0.23 Certificate Authority (CA) Common Name Null Byte Handling SSL MiTM Weakness NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-810-3.NASL description USN-810-1 fixed vulnerabilities in NSS. Jozsef Kadlecsik noticed that the new libraries on amd64 did not correctly set stack memory flags, and caused applications using NSS (e.g. Firefox) to have an executable stack. This reduced the effectiveness of some defensive security protections. This update fixes the problem. We apologize for the inconvenience. Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. (CVE-2009-2404) Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-2408) Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. (CVE-2009-2409). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 65117 published 2013-03-09 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65117 title Ubuntu 8.04 LTS / 8.10 / 9.04 : nss regression (USN-810-3) NASL family Scientific Linux Local Security Checks NASL id SL_20090731_NSPR_AND_NSS_FOR_SL_4_X.NASL description CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-2408 firefox/nss: doesn last seen 2020-06-01 modified 2020-06-02 plugin id 60631 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60631 title Scientific Linux Security Update : nspr and nss for SL 4.x on i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-810-2.NASL description USN-810-1 fixed vulnerabilities in NSS. This update provides the NSPR needed to use the new NSS. Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. (CVE-2009-2404) Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-2408) Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. (CVE-2009-2409). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40491 published 2009-08-05 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40491 title Ubuntu 8.04 LTS / 8.10 / 9.04 : nspr update (USN-810-2) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-224.NASL description Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 70228 published 2013-10-01 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70228 title Amazon Linux AMI : php54 (ALAS-2013-224) NASL family SuSE Local Security Checks NASL id SUSE_11_LIBNEON-DEVEL-091012.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers. (CVE-2009-2408) Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory. (CVE-2009-2473) last seen 2020-06-01 modified 2020-06-02 plugin id 42301 published 2009-10-29 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42301 title SuSE 11 Security Update : libneon (SAT Patch Number 1376) NASL family Windows NASL id MOZILLA_FIREFOX_3013.NASL description The installed version of Firefox is earlier than 3.0.13. Such versions are potentially affected by the following security issues : - The browser can be fooled into trusting a malicious SSL server certificate with a null character in the host name. (MFSA 2009-42) - A heap overflow in the code that handles regular expressions in certificate names can lead to arbitrary code execution. (MFSA 2009-43) - The location bar and SSL indicators can be spoofed by calling window.open() on an invalid URL. A remote attacker could use this to perform a phishing attack. (MFSA 2009-44) - Unspecified JavaScript-related vulnerabilities can lead to memory corruption, and possibly arbitrary execution of code. (MFSA 2009-45) last seen 2020-06-01 modified 2020-06-02 plugin id 40478 published 2009-08-04 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40478 title Firefox < 3.0.13 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE9_12506.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 41327 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41327 title SuSE9 Security Update : OpenLDAP2 (YOU Patch Number 12506) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1190.NASL description Updated nspr and nss packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) These version upgrades also provide fixes for the following bugs : * SSL client authentication failed against an Apache server when it was using the mod_nss module and configured for NSSOCSP. On the client side, the user agent received an error message that referenced last seen 2020-06-01 modified 2020-06-02 plugin id 63888 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63888 title RHEL 4 : nspr and nss (RHSA-2009:1190) NASL family SuSE Local Security Checks NASL id SUSE_11_LIBFREEBL3-090812.NASL description The Mozilla NSS security framework was updated to version 3.12.3.1. - Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 41419 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41419 title SuSE 11 Security Update : Mozilla Firefox (SAT Patch Number 1199) NASL family SuSE Local Security Checks NASL id SUSE_LIBNEON-DEVEL-6550.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers (CVE-2009-2408). Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory (CVE-2009-2473). last seen 2020-06-01 modified 2020-06-02 plugin id 42324 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42324 title openSUSE 10 Security Update : libneon-devel (libneon-devel-6550) NASL family SuSE Local Security Checks NASL id SUSE_11_0_SEAMONKEY-091007.NASL description seamonkey was updated to version 1.1.18, fixing various security issues : MFSA 2009-43 / CVE-2009-2404 Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem. The update also contains the fixes from the skipped 1.1.17 security update: MFSA 2009-17/CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme MFSA 2009-21/CVE-2009-1311:POST data sent to wrong site when saving web page with embedded frame MFSA 2009-24/CVE-2009-1392/CVE-2009-1832/CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11) MFSA 2009-26/CVE-2009-1835: Arbitrary domain cookie access by local file: resources MFSA 2009-27/CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests MFSA 2009-29/CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null MFSA 2009-32/CVE-2009-1841: JavaScript chrome privilege escalation MFSA 2009-33/CVE-2009-2210: Crash viewing multipart/alternative message with text/enhanced part last seen 2020-06-01 modified 2020-06-02 plugin id 42202 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42202 title openSUSE Security Update : seamonkey (seamonkey-1364) NASL family Solaris Local Security Checks NASL id SOLARIS11_PHP_20140401.NASL description The remote Solaris system is missing necessary patches to address security updates : - Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. (CVE-2011-4718) - Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an last seen 2020-06-01 modified 2020-06-02 plugin id 80736 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80736 title Oracle Solaris Third-Party Patch Update : php (cve_2013_4113_buffer_errors) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-003.NASL description A security vulnerability has been identified and fixed in sendmail : sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 43867 published 2010-01-13 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43867 title Mandriva Linux Security Advisory : sendmail (MDVSA-2010:003) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-028.NASL description Multiple vulnerabilities was discovered and corrected in kdelibs4 : KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a \ last seen 2020-06-01 modified 2020-06-02 plugin id 48171 published 2010-07-30 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/48171 title Mandriva Linux Security Advisory : kdelibs4 (MDVSA-2010:028) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1431.NASL description Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user last seen 2020-06-01 modified 2020-06-02 plugin id 40922 published 2009-09-10 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40922 title RHEL 4 : seamonkey (RHSA-2009:1431) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-315.NASL description A vulnerability has been found and corrected in libneo : neon before 0.28.6, when OpenSSL is used, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 43018 published 2009-12-07 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43018 title Mandriva Linux Security Advisory : libneon (MDVSA-2009:315) NASL family SuSE Local Security Checks NASL id SUSE_NEON-6549.NASL description neon did not properly handle embedded NUL characters in X.509 certificates when comparing host names. Attackers could exploit that to spoof SSL servers. (CVE-2009-2408) Specially crafted XML documents that contain a large number of nested entity references could cause neon to consume large amounts of CPU and memory. (CVE-2009-2473) last seen 2020-06-01 modified 2020-06-02 plugin id 49905 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49905 title SuSE 10 Security Update : neon (ZYPP Patch Number 6549) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-810-1.NASL description Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. (CVE-2009-2404) Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-2408) Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. (CVE-2009-2409). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40490 published 2009-08-05 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40490 title Ubuntu 8.04 LTS / 8.10 / 9.04 : nss vulnerabilities (USN-810-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201301-01.NASL description The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL’s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser’s font, conduct clickjacking attacks, or have other unspecified impact. A local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 63402 published 2013-01-08 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63402 title GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST) NASL family AIX Local Security Checks NASL id AIX_IZ72510.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63807 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63807 title AIX 6.1 TL 3 : sendmail (IZ72510) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1184.NASL description From Red Hat Security Advisory 2009:1184 : Updated nspr and nss packages that fix security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. These updated packages upgrade NSS from the previous version, 3.12.2, to a prerelease of version 3.12.4. The version of NSPR has also been upgraded from 4.7.3 to 4.7.4. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library used by browsers such as Mozilla Firefox to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running the browser. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction in Firefox, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by Firefox, otherwise Firefox presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. Dan Kaminsky discovered flaws in the way browsers such as Firefox handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. (CVE-2009-2408) Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) These version upgrades also provide a fix for the following bug : * SSL client authentication failed against an Apache server when it was using the mod_nss module and configured for NSSOCSP. On the client side, the user agent received an error message that referenced last seen 2020-06-01 modified 2020-06-02 plugin id 67902 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67902 title Oracle Linux 4 / 5 : nspr / nss (ELSA-2009-1184) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-225.NASL description A vulnerability has been found and corrected in qt4 : src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 40900 published 2009-09-09 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40900 title Mandriva Linux Security Advisory : qt4 (MDVSA-2009:225) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_49E8F2EE814711DEA9940030843D3802.NASL description Mozilla Project reports : MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters MFSA 2009-42: Compromise of SSL-protected communication MFSA 2009-43: Heap overflow in certificate regexp parsing MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13) MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper last seen 2020-06-01 modified 2020-06-02 plugin id 40485 published 2009-08-05 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40485 title FreeBSD : mozilla -- multiple vulnerabilities (49e8f2ee-8147-11de-a994-0030843d3802) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-221.NASL description A vulnerability has been discovered and corrected in php : The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 69490 published 2013-08-28 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69490 title Mandriva Linux Security Advisory : php (MDVSA-2013:221) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1432.NASL description Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Dan Kaminsky discovered flaws in the way browsers such as SeaMonkey handle NULL characters in a certificate. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by SeaMonkey, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse SeaMonkey into accepting it by mistake. (CVE-2009-2408) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user last seen 2020-06-01 modified 2020-06-02 plugin id 40934 published 2009-09-11 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40934 title CentOS 3 : seamonkey (CESA-2009:1432) NASL family Solaris Local Security Checks NASL id SOLARIS11_PHP_20140522.NASL description The remote Solaris system is missing necessary patches to address security updates : - The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 80737 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80737 title Oracle Solaris Third-Party Patch Update : php (cve_2013_4248_input_validation) NASL family SuSE Local Security Checks NASL id SUSE_11_0_MOZILLATHUNDERBIRD-090914.NASL description Mozilla Thunderbird was updated to version 2.0.0.23. The release fixes one security issue: MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. last seen 2020-06-01 modified 2020-06-02 plugin id 41009 published 2009-09-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41009 title openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-1303) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-201.NASL description A vulnerability has been found and corrected in fetchmail : socket.c in fetchmail before 6.3.11 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 40585 published 2009-08-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40585 title Mandriva Linux Security Advisory : fetchmail (MDVSA-2009:201-1) NASL family SuSE Local Security Checks NASL id SUSE_LIBFREEBL3-6494.NASL description The Mozilla NSS and dependend libraries were updated to fix various issues. CVE-2009-2404 / MFSA 2009-43 : Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 42013 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42013 title openSUSE 10 Security Update : libfreebl3 (libfreebl3-6494) NASL family SuSE Local Security Checks NASL id SUSE_11_1_SEAMONKEY-091007.NASL description seamonkey was updated to version 1.1.18, fixing various security issues : MFSA 2009-43 / CVE-2009-2404 Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem. The update also contains the fixes from the skipped 1.1.17 security update: MFSA 2009-17/CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme MFSA 2009-21/CVE-2009-1311:POST data sent to wrong site when saving web page with embedded frame MFSA 2009-24/CVE-2009-1392/CVE-2009-1832/CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11) MFSA 2009-26/CVE-2009-1835: Arbitrary domain cookie access by local file: resources MFSA 2009-27/CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests MFSA 2009-29/CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null MFSA 2009-32/CVE-2009-1841: JavaScript chrome privilege escalation MFSA 2009-33/CVE-2009-2210: Crash viewing multipart/alternative message with text/enhanced part last seen 2020-06-01 modified 2020-06-02 plugin id 42206 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42206 title openSUSE Security Update : seamonkey (seamonkey-1364) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBLDAP-2_4-2-090909.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subjects name. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41035 published 2009-09-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41035 title openSUSE Security Update : libldap-2_4-2 (libldap-2_4-2-1301) NASL family SuSE Local Security Checks NASL id SUSE_11_1_MOZILLATHUNDERBIRD-090914.NASL description Mozilla Thunderbird was updated to version 2.0.0.23. The release fixes one security issue: MFSA 2009-42 / CVE-2009-2408: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. last seen 2020-06-01 modified 2020-06-02 plugin id 41011 published 2009-09-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41011 title openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-1303) NASL family AIX Local Security Checks NASL id AIX_IZ72835.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63811 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63811 title AIX 5.3 TL 9 : sendmail (IZ72835) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-014.NASL description Multiple vulnerabilities has been discovered and corrected in php : The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 72082 published 2014-01-22 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72082 title Mandriva Linux Security Advisory : php (MDVSA-2014:014) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2025.NASL description Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-2408 Dan Kaminsky and Moxie Marlinspike discovered that icedove does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 45397 published 2010-04-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45397 title Debian DSA-2025-1 : icedove - several vulnerabilities NASL family Windows NASL id SEAMONKEY_1118.NASL description The installed version of SeaMonkey is earlier than 1.1.18. Such versions are potentially affected by the following security issues : - The browser can be fooled into trusting a malicious SSL server certificate with a null character in the host name. (MFSA 2009-42) - A heap overflow in the code that handles regular expressions in certificate names can lead to arbitrary code execution. (MFSA 2009-43) last seen 2020-06-01 modified 2020-06-02 plugin id 40874 published 2009-09-04 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40874 title SeaMonkey < 1.1.18 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-198.NASL description Security issues were identified and fixed in firefox 3.0.x : Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location (CVE-2009-2654). Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client (CVE-2009-2404). IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions (CVE-2009-2408). This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates. last seen 2020-06-01 modified 2020-06-02 plugin id 40523 published 2009-08-10 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40523 title Mandriva Linux Security Advisory : firefox (MDVSA-2009:198) NASL family AIX Local Security Checks NASL id AIX_IZ72836.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63812 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63812 title AIX 5.3 TL 10 : sendmail (IZ72836) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0001.NASL description a. Update for Service Console packages nss and nspr Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2009-2409, CVE-2009-2408, CVE-2009-2404, CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, and CVE-2009-3382 to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43826 published 2010-01-08 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43826 title VMSA-2010-0001 : ESX Service Console and vMA updates for nss and nspr NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1431.NASL description From Red Hat Security Advisory 2009:1431 : Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3072, CVE-2009-3075) A use-after-free flaw was found in SeaMonkey. An attacker could use this flaw to crash SeaMonkey or, potentially, execute arbitrary code with the privileges of the user running SeaMonkey. (CVE-2009-3077) Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user last seen 2020-06-01 modified 2020-06-02 plugin id 67923 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67923 title Oracle Linux 4 : seamonkey (ELSA-2009-1431) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBLDAP-2_4-2-090909.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subjects name. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 41041 published 2009-09-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41041 title openSUSE Security Update : libldap-2_4-2 (libldap-2_4-2-1301) NASL family SuSE Local Security Checks NASL id SUSE_LIBLDAP-2_4-2-6488.NASL description This update of openldap2 makes SSL certificate verification more robust against uses of the special character \0 in the subjects name. (CVE-2009-2408) last seen 2020-06-01 modified 2020-06-02 plugin id 42014 published 2009-10-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42014 title openSUSE 10 Security Update : libldap-2_4-2 (libldap-2_4-2-6488)
Oval
accepted 2013-04-29T04:08:22.117-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. family unix id oval:org.mitre.oval:def:10751 status accepted submitted 2010-07-09T03:56:16-04:00 title Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. version 27 accepted 2014-01-20T04:01:39.342-05:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. family unix id oval:org.mitre.oval:def:8458 status accepted submitted 2010-03-18T13:00:53.000-04:00 title VMware Network Security Services (NSS) does not properly handle '\0' character version 7
Redhat
| advisories |
| ||||||||
| rpms |
|
Seebug
bulletinFamily exploit description ### Summary A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. ### Tested Versions Randombit Botan 2.0.1 ### Product URLs https://botan.randombit.net/ ### CVSSv3 Score 6.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L ### CWE CWE-125: Out-of-bounds Read ### Details Botan is a C++ cryptographic library that implements the basis for practical systems that require TLS, PKIX certificate handling, password hashing or other cryptographic primitives. There exists a programming error in code related to x509 distinguished name parsing. Namely, an x509 DN comparison function can lead to out of bounds memory access leading to unexpected results, information disclosure or potential denial of service. The vulnerability is located in the overloaded equality comparison function `Botan::x500_name_cmp`: ``` bool x500_name_cmp(const std::string& name1, const std::string& name2) { auto p1 = name1.begin(); auto p2 = name2.begin(); while((p1 != name1.end()) && Charset::is_space(*p1)) ++p1; [1] while((p2 != name2.end()) && Charset::is_space(*p2)) ++p2; while(p1 != name1.end() && p2 != name2.end()) { if(Charset::is_space(*p1)) [2] { if(!Charset::is_space(*p2)) [3] return false; while((p1 != name1.end()) && Charset::is_space(*p1)) ++p1; [4] while((p2 != name2.end()) && Charset::is_space(*p2)) ++p2; [5] if(p1 == name1.end() && p2 == name2.end()) [6] return true; } if(!Charset::caseless_cmp(*p1, *p2)) [7] return false; ++p1; [8] ++p2; } while((p1 != name1.end()) && Charset::is_space(*p1)) ++p1; while((p2 != name2.end()) && Charset::is_space(*p2)) ++p2; if((p1 != name1.end()) || (p2 != name2.end())) return false; return true; } ``` First, at [1], initiall whitespaces are skipped. Then, strings are compared byte by byte in a loop while checking for whitespace at [2]. If a space occurs in the first string [2] and the second too [3], those are again skipped at [4] and [5]. Then, at [6], if both have reached an end, true is returned. If not, another comparison is made at [7] and if it passes, the pointers are increased at [8]. The vulnerability lies in the way whitespaces are handeled. If we are comparing two strings which are initially the same up to a space character, we would enter while loops at [4] and [5]. Now, if one string contains a NULL byte after that space, and the other has spaces until its end, the check at [6] won’t be true, because only the second string would point to its end. However, both are actually pointing at a NULL byte, which means the check at [7] will still hold true, and pointers are once again increased at [8]. Then when the loop rolls around, one of the pointers can point outside its allocated buffer, leading to unexpected behaviour. A specially crafted x509 certificate with specific x509 DN strings for subject and issuer fields can be created. Example strings that satisfy the above conditions are: ``` String 1: AA\x20\x00AAAAAAAAAA String 2: AA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 ``` Notice that both are the same length, begin with same characters up until space after which the first is terminated and the second has spaces till the end. Because of the way these pieces of certificate are copied from the x509 file to their memory buffers, the first string’s length won’t be 3, that is, it won’t be terminated at the first NULL. With careful control over X509 distinguished names contents and depending on memory layout in the target application, it could be possible to craft a certificate where equality checks could pass or fail. Also, a discrepancy between a way these malformed strings are handled in Botan and other x509 libraries could lead to other types of abuse, possibly not unlike the famed CVE-2009-2408. The vulnerability can be triggered with the supplied example x509 certificate. ### Crash Information Address sanitizer output: ``` botan/botan cert_info --ber cert1.der 2>&1| asan_symbolize -d ================================================================= ==15015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000dfa3 at pc 0x7f027ec92e85 bp 0x7ffdf452fe60 sp 0x7ffdf452fe58 READ of size 1 at 0x60300000dfa3 thread T0 #0 0x7f027ec92e84 in Botan::x500_name_cmp(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) botan/./src/lib/utils/parsing.cpp:232 #1 0x7f027ec92e84 in ?? ??:0 #2 0x7f027e269f2a in Botan::operator==(Botan::X509_DN const&, Botan::X509_DN const&) botan/./src/lib/asn1/x509_dn.cpp:153 #3 0x7f027e269f2a in ?? ??:0 #4 0x7f027ed8b8f4 in Botan::X509_Certificate::force_decode() botan/./src/lib/x509/x509cert.cpp:149 #5 0x7f027ed8b8f4 in ?? ??:0 #6 0x7f027ed85263 in Botan::X509_Object::do_decode() botan/./src/lib/x509/x509_obj.cpp:235 #7 0x7f027ed85263 in ?? ??:0 #8 0x7f027ed877b1 in X509_Certificate botan/./src/lib/x509/x509cert.cpp:50 #9 0x7f027ed877b1 in ?? ??:0 #10 0x5fcc93 in Botan_CLI::Cert_Info::go() botan/./src/cli/x509.cpp:85 #11 0x5fcc93 in ?? ??:0 #12 0x520ed5 in Botan_CLI::Command::run(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) botan/./src/cli/cli.h:229 #13 0x520ed5 in ?? ??:0 #14 0x51ca4f in main botan/./src/cli/main.cpp:60 #15 0x51ca4f in ?? ??:0 #16 0x7f027d16982f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291 #17 0x7f027d16982f in ?? ??:0 #18 0x42e328 in _start ??:? #19 0x42e328 in ?? ??:0 0x60300000dfa3 is located 0 bytes to the right of 19-byte region [0x60300000df90,0x60300000dfa3) allocated by thread T0 here: #0 0x4ce458 in __interceptor_malloc ??:? #1 0x4ce458 in ?? ??:0 #2 0x7f027f296e77 in operator new(unsigned long) ??:? #3 0x7f027f296e77 in ?? ??:0 #4 0x7f027e272283 in std::pair<std::__decay_and_strip<Botan::OID const&>::__type, std::__decay_and_strip<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>::__type> std::make_pair<Botan::OID const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(Botan::OID const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_pair.h:281 (discriminator 4) #5 0x7f027e272283 in void Botan::multimap_insert<Botan::OID, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >(std::multimap<Botan::OID, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<Botan::OID>, std::allocator<std::pair<Botan::OID const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, Botan::OID const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) botan/build/include/botan/internal/stl_util.h:79 (discriminator 4) #6 0x7f027e272283 in ?? ??:0 #7 0x7f027e2671eb in Botan::X509_DN::get_attributes[abi:cxx11]() const botan/./src/lib/asn1/x509_dn.cpp:78 (discriminator 1) #8 0x7f027e2671eb in ?? ??:0 #9 0x7f027e269d49 in Botan::operator==(Botan::X509_DN const&, Botan::X509_DN const&) botan/./src/lib/asn1/x509_dn.cpp:138 (discriminator 1) #10 0x7f027e269d49 in ?? ??:0 #11 0x7f027ed8b8f4 in Botan::X509_Certificate::force_decode() botan/./src/lib/x509/x509cert.cpp:149 #12 0x7f027ed8b8f4 in ?? ??:0 #13 0x7f027ed85263 in Botan::X509_Object::do_decode() botan/./src/lib/x509/x509_obj.cpp:235 #14 0x7f027ed85263 in ?? ??:0 #15 0x7f027ed877b1 in X509_Certificate botan/./src/lib/x509/x509cert.cpp:50 #16 0x7f027ed877b1 in ?? ??:0 #17 0x5fcc93 in Botan_CLI::Cert_Info::go() botan/./src/cli/x509.cpp:85 #18 0x5fcc93 in ?? ??:0 #19 0x520ed5 in Botan_CLI::Command::run(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) botan/./src/cli/cli.h:229 #20 0x520ed5 in ?? ??:0 #21 0x51ca4f in main botan/./src/cli/main.cpp:60 #22 0x51ca4f in ?? ??:0 #23 0x7f027d16982f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291 #24 0x7f027d16982f in ?? ??:0 SUMMARY: AddressSanitizer: heap-buffer-overflow (botan/libbotan-2.so.0+0xc38e84) Shadow bytes around the buggy address: 0x0c067fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9be0: fa fa fa fa fa fa 00 00 03 fa fa fa fd fd fd fa =>0x0c067fff9bf0: fa fa 00 00[03]fa fa fa fd fd fd fa fa fa 00 00 0x0c067fff9c00: 00 04 fa fa fd fd fd fd fa fa 00 00 00 03 fa fa 0x0c067fff9c10: fd fd fd fd fa fa 00 00 00 03 fa fa fd fd fd fd 0x0c067fff9c20: fa fa 00 00 05 fa fa fa fd fd fd fa fa fa 00 00 0x0c067fff9c30: 07 fa fa fa fd fd fd fa fa fa 00 00 01 fa fa fa 0x0c067fff9c40: 00 00 00 fa fa fa fd fd fd fa fa fa fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15015==ABORTING ``` ### Mitigation Adding another check which tests if either string is at the end while the other is not, which would make them different, is enough to resolve this vulnerability: ``` diff --git a/src/lib/utils/parsing.cpp b/src/lib/utils/parsing.cpp index 8fd2ccc..ce4b02f 100644 --- a/src/lib/utils/parsing.cpp +++ b/src/lib/utils/parsing.cpp @@ -240,6 +240,11 @@ bool x500_name_cmp(const std::string& name1, const std::string& name2) if(p1 == name1.end() && p2 == name2.end()) return true; + if(p1 == name1.end() || p2 == name2.end()) + return false; } if(!Charset::caseless_cmp(*p1, *p2)) return false; ``` ### Timeline * 2017-03-16 - Vendor Disclosure * 2017-04-28 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos. id SSV:96525 last seen 2017-11-19 modified 2017-09-19 published 2017-09-19 reporter Root title Randombit Botan Library X509 Certificate Validation Bypass Vulnerability(CVE-2017-2801) bulletinFamily exploit description No description provided by source. id SSV:12447 last seen 2017-11-19 modified 2009-10-10 published 2009-10-10 reporter Root source https://www.seebug.org/vuldb/ssvid-12447 title mozilla-thunderbird多个安全漏洞 bulletinFamily exploit description Bugraq ID: 35888 CVE ID:CVE-2009-2408 Mozilla Firefox是一款开放源代码的WEB浏览器。 Mozilla Firefox不正确验证签名CA证书中的域名,远程攻击者可以利用漏洞通过伪造证书进行中间人攻击。 如果构建的一个恶意证书其公用名包含NULL字符,并能正确获得合法签名被浏览器信任,那么攻击者可以使用这个证书代替合法证书进行中间人攻击,获得敏感信息或进行其他攻击。 Mozilla Network Security Services (NSS) 3.12.2 Mozilla Network Security Services (NSS) 3.11.3 Mozilla Network Security Services (NSS) 3.9.2 Mozilla Network Security Services (NSS) 3.9 + Mozilla Browser 1.5 Mozilla Network Security Services (NSS) 3.8 + Galeon Galeon Browser 1.2.13 + Mozilla Browser 1.4.1 + Mozilla Browser 1.4.1 + Mozilla Browser 1.4 b + Mozilla Browser 1.4 b + Mozilla Browser 1.4 a + Mozilla Browser 1.4 a + Mozilla Browser 1.4 + Mozilla Browser 1.4 Mozilla Network Security Services (NSS) 3.7.7 Mozilla Network Security Services (NSS) 3.7.5 Mozilla Network Security Services (NSS) 3.7.3 Mozilla Network Security Services (NSS) 3.7.2 Mozilla Network Security Services (NSS) 3.7.1 Mozilla Network Security Services (NSS) 3.7 Mozilla Network Security Services (NSS) 3.6.1 Mozilla Network Security Services (NSS) 3.6 Mozilla Network Security Services (NSS) 3.6 Mozilla Network Security Services (NSS) 3.5 Mozilla Network Security Services (NSS) 3.4.2 Mozilla Network Security Services (NSS) 3.4.1 Mozilla Network Security Services (NSS) 3.4 Mozilla Network Security Services (NSS) 3.3.2 Mozilla Network Security Services (NSS) 3.3.1 Mozilla Network Security Services (NSS) 3.3 Mozilla Network Security Services (NSS) 3.2.1 Mozilla Network Security Services (NSS) 3.2 Mozilla Network Security Services (NSS) 3.12 Mozilla Network Security Services (NSS) 3.11 Mozilla Firefox 3.0.12 Mozilla Firefox 3.0.11 Mozilla Firefox 3.0.10 Mozilla Firefox 3.0.9 Mozilla Firefox 3.0.8 Mozilla Firefox 3.0.7 Beta Mozilla Firefox 3.0.7 Mozilla Firefox 3.0.6 Mozilla Firefox 3.0.5 Mozilla Firefox 3.0.4 Mozilla Firefox 3.0.3 Mozilla Firefox 3.0.2 Mozilla Firefox 3.0.1 Mozilla Firefox 3.0 Beta 5 Mozilla Firefox 3.0 厂商解决方案 Mozilla Firefox 3.5不受此漏洞影响,建议用户联系供应商获得升级程序: http://www.mozilla.com/en-US/ id SSV:11950 last seen 2017-11-19 modified 2009-07-31 published 2009-07-31 reporter Root title Mozilla Firefox NULL字符CA SSL证书验证安全绕过漏洞
Talos
| id | TALOS-2017-0294 |
| last seen | 2019-05-29 |
| published | 2017-04-28 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0294 |
| title | Randombit Botan Library X509 Certificate Validation Bypass Vulnerability |
References
- http://www.wired.com/threatlevel/2009/07/kaminsky/
- https://bugzilla.redhat.com/show_bug.cgi?id=510251
- http://osvdb.org/56723
- http://www.vupen.com/english/advisories/2009/2085
- http://www.ubuntu.com/usn/usn-810-1
- http://www.securitytracker.com/id?1022632
- http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
- http://secunia.com/advisories/36139
- http://secunia.com/advisories/36157
- http://secunia.com/advisories/36088
- http://secunia.com/advisories/36125
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:197
- http://www.redhat.com/support/errata/RHSA-2009-1207.html
- http://isc.sans.org/diary.html?storyid=7003
- http://www.redhat.com/support/errata/RHSA-2009-1432.html
- http://www.debian.org/security/2009/dsa-1874
- http://secunia.com/advisories/36434
- http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
- http://marc.info/?l=oss-security&m=125198917018936&w=2
- http://www.vupen.com/english/advisories/2009/3184
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:217
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:216
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1
- http://secunia.com/advisories/37098
- http://www.novell.com/linux/security/advisories/2009_48_firefox.html
- http://secunia.com/advisories/36669
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8458
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10751
- https://usn.ubuntu.com/810-2/