CVE-2009-2408 — MEDIUM (5.9)

Q: How severe is CVE-2009-2408?

CVE-2009-2408 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-2408?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Network Security Services, Mozilla Seamonkey, Mozilla Thunderbird, Opensuse Opensuse.

Vulnerability Description

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 3.0.13
Mozilla	Network Security Services	< 3.12.3
Mozilla	Seamonkey	< 1.1.18
Mozilla	Thunderbird	< 2.0.0.23
Opensuse	Opensuse	>= 10.3, <= 11.1
Suse	Linux Enterprise	10.0
Suse	Linux Enterprise Server	9
Debian	Debian Linux	5.0
Canonical	Ubuntu Linux	8.04

Related Weaknesses (CWE)

CWE-295

References

http://isc.sans.org/diary.html?storyid=7003Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlMailing List
http://marc.info/?l=oss-security&m=125198917018936&w=2Mailing List
http://osvdb.org/56723Broken Link
http://secunia.com/advisories/36088Broken LinkVendor Advisory
http://secunia.com/advisories/36125Broken LinkVendor Advisory
http://secunia.com/advisories/36139Broken LinkVendor Advisory
http://secunia.com/advisories/36157Broken LinkVendor Advisory
http://secunia.com/advisories/36434Broken LinkVendor Advisory
http://secunia.com/advisories/36669Broken Link
http://secunia.com/advisories/37098Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1Broken Link
http://www.debian.org/security/2009/dsa-1874Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216Broken Link

FAQ

What is CVE-2009-2408?

CVE-2009-2408 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the s...

How severe is CVE-2009-2408?

CVE-2009-2408 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-2408?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Network Security Services, Mozilla Seamonkey, Mozilla Thunderbird, Opensuse Opensuse.