Vulnerabilities > CVE-2009-3475 - Cryptographic Issues vulnerability in Internet2 Shibboleth-Sp
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1895.NASL description Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates). last seen 2020-06-01 modified 2020-06-02 plugin id 44760 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44760 title Debian DSA-1895-1 : xmltooling - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1895. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44760); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-3474", "CVE-2009-3475"); script_bugtraq_id(36514, 36516); script_xref(name:"DSA", value:"1895"); script_name(english:"Debian DSA-1895-1 : xmltooling - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates)." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1895" ); script_set_attribute( attribute:"solution", value: "Upgrade the xmltooling packages. For the stable distribution (lenny), these problems have been fixed in version 1.0-2+lenny1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(310); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xmltooling"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"libxmltooling-dev", reference:"1.0-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libxmltooling-doc", reference:"1.0-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libxmltooling1", reference:"1.0-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"xmltooling-schemas", reference:"1.0-2+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1896.NASL description Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignored key usage constraints. last seen 2020-06-01 modified 2020-06-02 plugin id 44761 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44761 title Debian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1896. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44761); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-3474", "CVE-2009-3475"); script_bugtraq_id(36514, 36516); script_xref(name:"DSA", value:"1896"); script_name(english:"Debian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignored key usage constraints." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1896" ); script_set_attribute( attribute:"solution", value: "Upgrade the Shibboleth 1.x packages. For the old stable distribution (etch), these problems have been fixed in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version 1.1a-2+etch1 of the opensaml packages. For the stable distribution (lenny), these problems have been fixed in version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1 of the opensaml packages. This update requires restarting the affected services (mainly Apache) to become effective." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(310); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:shibboleth-sp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libapache2-mod-shib", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libsaml-dev", reference:"1.1a-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libsaml5", reference:"1.1a-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libshib-dev", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libshib-target5", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libshib6", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"opensaml-schemas", reference:"1.1a-2+etch1")) flag++; if (deb_check(release:"5.0", prefix:"libapache2-mod-shib", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libsaml-dev", reference:"1.1.1-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libsaml5", reference:"1.1.1-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libshib-dev", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libshib-target5", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libshib6", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"opensaml-schemas", reference:"1.1.1-2+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");