CVE-2009-2408

moderate-risk

Published 2009-07-30

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Do I need to act?

2.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (12)

Firefox

Seamonkey

Thunderbird

Linux Enterprise

Linux Enterprise Server

Ubuntu Linux

Network Security Services

Opensuse

Debian Linux

Ubuntu Linux

Affected Vendors

Suse Opensuse Debian Canonical Mozilla

References (60)

Broken Link http://isc.sans.org/diary.html?storyid=7003

Mailing List http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

Mailing List http://marc.info/?l=oss-security&m=125198917018936&w=2

Broken Link http://osvdb.org/56723

Broken Link http://secunia.com/advisories/36088

Broken Link http://secunia.com/advisories/36125

Broken Link http://secunia.com/advisories/36139

Broken Link http://secunia.com/advisories/36157

Broken Link http://secunia.com/advisories/36434

Broken Link http://secunia.com/advisories/36669

Broken Link http://secunia.com/advisories/37098

Broken Link http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1

Mailing List http://www.debian.org/security/2009/dsa-1874

Broken Link http://www.mandriva.com/security/advisories?name=MDVSA-2009:197

Broken Link http://www.mandriva.com/security/advisories?name=MDVSA-2009:216

Broken Link http://www.mandriva.com/security/advisories?name=MDVSA-2009:217

Vendor Advisory http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

Broken Link http://www.novell.com/linux/security/advisories/2009_48_firefox.html

Broken Link http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r...

Broken Link http://www.redhat.com/support/errata/RHSA-2009-1207.html

and 40 more references

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 6/34 · Minimal

Exposure 17/34 · Moderate