Computer Security
[EN] securityvulns.ru no-pyccku


GnuTLS library certificate spoofing
Published:20.08.2009
Source:
SecurityVulns ID:10169
Type:library
Threat Level:
6/10
Description:It's possible to spoof cerificate name with NULL byte; weak MD2-hashed signatures are accepted.
Affected:GNU : GnuTLS 2.8
CVE:CVE-2009-2730 (libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.)
 CVE-2009-2409 (The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.)
Original documentdocumentUBUNTU, [USN-809-1] GnuTLS vulnerabilities (20.08.2009)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod