ID CVE-2009-2417
Summary lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
References
Vulnerable Configurations
  • cpe:2.3:a:curl:libcurl:7.4
    cpe:2.3:a:curl:libcurl:7.4
  • cpe:2.3:a:curl:libcurl:7.4.1
    cpe:2.3:a:curl:libcurl:7.4.1
  • cpe:2.3:a:curl:libcurl:7.4.2
    cpe:2.3:a:curl:libcurl:7.4.2
  • cpe:2.3:a:curl:libcurl:7.5
    cpe:2.3:a:curl:libcurl:7.5
  • cpe:2.3:a:curl:libcurl:7.5.1
    cpe:2.3:a:curl:libcurl:7.5.1
  • cpe:2.3:a:curl:libcurl:7.5.2
    cpe:2.3:a:curl:libcurl:7.5.2
  • cpe:2.3:a:curl:libcurl:7.6
    cpe:2.3:a:curl:libcurl:7.6
  • cpe:2.3:a:curl:libcurl:7.6.1
    cpe:2.3:a:curl:libcurl:7.6.1
  • cpe:2.3:a:curl:libcurl:7.7
    cpe:2.3:a:curl:libcurl:7.7
  • cpe:2.3:a:curl:libcurl:7.7.1
    cpe:2.3:a:curl:libcurl:7.7.1
  • cpe:2.3:a:curl:libcurl:7.7.2
    cpe:2.3:a:curl:libcurl:7.7.2
  • cpe:2.3:a:curl:libcurl:7.7.3
    cpe:2.3:a:curl:libcurl:7.7.3
  • cpe:2.3:a:curl:libcurl:7.8
    cpe:2.3:a:curl:libcurl:7.8
  • cpe:2.3:a:curl:libcurl:7.8.1
    cpe:2.3:a:curl:libcurl:7.8.1
  • cpe:2.3:a:curl:libcurl:7.9
    cpe:2.3:a:curl:libcurl:7.9
  • cpe:2.3:a:curl:libcurl:7.9.1
    cpe:2.3:a:curl:libcurl:7.9.1
  • cpe:2.3:a:curl:libcurl:7.9.2
    cpe:2.3:a:curl:libcurl:7.9.2
  • cpe:2.3:a:curl:libcurl:7.9.3
    cpe:2.3:a:curl:libcurl:7.9.3
  • cpe:2.3:a:curl:libcurl:7.9.5
    cpe:2.3:a:curl:libcurl:7.9.5
  • cpe:2.3:a:curl:libcurl:7.9.6
    cpe:2.3:a:curl:libcurl:7.9.6
  • cpe:2.3:a:curl:libcurl:7.9.7
    cpe:2.3:a:curl:libcurl:7.9.7
  • cpe:2.3:a:curl:libcurl:7.9.8
    cpe:2.3:a:curl:libcurl:7.9.8
  • cpe:2.3:a:curl:libcurl:7.10
    cpe:2.3:a:curl:libcurl:7.10
  • cpe:2.3:a:curl:libcurl:7.10.1
    cpe:2.3:a:curl:libcurl:7.10.1
  • cpe:2.3:a:curl:libcurl:7.10.2
    cpe:2.3:a:curl:libcurl:7.10.2
  • cpe:2.3:a:curl:libcurl:7.10.3
    cpe:2.3:a:curl:libcurl:7.10.3
  • cpe:2.3:a:curl:libcurl:7.10.4
    cpe:2.3:a:curl:libcurl:7.10.4
  • cpe:2.3:a:curl:libcurl:7.10.5
    cpe:2.3:a:curl:libcurl:7.10.5
  • cpe:2.3:a:curl:libcurl:7.10.6
    cpe:2.3:a:curl:libcurl:7.10.6
  • cpe:2.3:a:curl:libcurl:7.10.7
    cpe:2.3:a:curl:libcurl:7.10.7
  • cpe:2.3:a:curl:libcurl:7.10.8
    cpe:2.3:a:curl:libcurl:7.10.8
  • cpe:2.3:a:curl:libcurl:7.11.0
    cpe:2.3:a:curl:libcurl:7.11.0
  • cpe:2.3:a:curl:libcurl:7.11.1
    cpe:2.3:a:curl:libcurl:7.11.1
  • cpe:2.3:a:curl:libcurl:7.11.2
    cpe:2.3:a:curl:libcurl:7.11.2
  • cpe:2.3:a:curl:libcurl:7.12
    cpe:2.3:a:curl:libcurl:7.12
  • cpe:2.3:a:curl:libcurl:7.12.0
    cpe:2.3:a:curl:libcurl:7.12.0
  • cpe:2.3:a:curl:libcurl:7.12.1
    cpe:2.3:a:curl:libcurl:7.12.1
  • cpe:2.3:a:curl:libcurl:7.12.2
    cpe:2.3:a:curl:libcurl:7.12.2
  • cpe:2.3:a:curl:libcurl:7.12.3
    cpe:2.3:a:curl:libcurl:7.12.3
  • cpe:2.3:a:curl:libcurl:7.13
    cpe:2.3:a:curl:libcurl:7.13
  • cpe:2.3:a:curl:libcurl:7.13.1
    cpe:2.3:a:curl:libcurl:7.13.1
  • cpe:2.3:a:curl:libcurl:7.13.2
    cpe:2.3:a:curl:libcurl:7.13.2
  • cpe:2.3:a:curl:libcurl:7.14
    cpe:2.3:a:curl:libcurl:7.14
  • cpe:2.3:a:curl:libcurl:7.14.1
    cpe:2.3:a:curl:libcurl:7.14.1
  • cpe:2.3:a:curl:libcurl:7.15
    cpe:2.3:a:curl:libcurl:7.15
  • cpe:2.3:a:curl:libcurl:7.15.1
    cpe:2.3:a:curl:libcurl:7.15.1
  • cpe:2.3:a:curl:libcurl:7.15.2
    cpe:2.3:a:curl:libcurl:7.15.2
  • cpe:2.3:a:curl:libcurl:7.15.3
    cpe:2.3:a:curl:libcurl:7.15.3
  • cpe:2.3:a:curl:libcurl:7.16.3
    cpe:2.3:a:curl:libcurl:7.16.3
  • cpe:2.3:a:curl:libcurl:7.17.0
    cpe:2.3:a:curl:libcurl:7.17.0
  • cpe:2.3:a:curl:libcurl:7.17.1
    cpe:2.3:a:curl:libcurl:7.17.1
  • cpe:2.3:a:curl:libcurl:7.18.0
    cpe:2.3:a:curl:libcurl:7.18.0
  • cpe:2.3:a:curl:libcurl:7.18.1
    cpe:2.3:a:curl:libcurl:7.18.1
  • cpe:2.3:a:curl:libcurl:7.18.2
    cpe:2.3:a:curl:libcurl:7.18.2
  • cpe:2.3:a:curl:libcurl:7.19.0
    cpe:2.3:a:curl:libcurl:7.19.0
  • cpe:2.3:a:curl:libcurl:7.19.1
    cpe:2.3:a:curl:libcurl:7.19.1
  • cpe:2.3:a:curl:libcurl:7.19.2
    cpe:2.3:a:curl:libcurl:7.19.2
  • cpe:2.3:a:curl:libcurl:7.19.3
    cpe:2.3:a:curl:libcurl:7.19.3
  • cpe:2.3:a:curl:libcurl:7.19.4
    cpe:2.3:a:curl:libcurl:7.19.4
  • cpe:2.3:a:curl:libcurl:7.19.5
    cpe:2.3:a:curl:libcurl:7.19.5
  • cpe:2.3:a:libcurl:libcurl:7.12
    cpe:2.3:a:libcurl:libcurl:7.12
  • cpe:2.3:a:libcurl:libcurl:7.12.1
    cpe:2.3:a:libcurl:libcurl:7.12.1
  • cpe:2.3:a:libcurl:libcurl:7.12.2
    cpe:2.3:a:libcurl:libcurl:7.12.2
  • cpe:2.3:a:libcurl:libcurl:7.12.3
    cpe:2.3:a:libcurl:libcurl:7.12.3
  • cpe:2.3:a:libcurl:libcurl:7.13
    cpe:2.3:a:libcurl:libcurl:7.13
  • cpe:2.3:a:libcurl:libcurl:7.13.1
    cpe:2.3:a:libcurl:libcurl:7.13.1
  • cpe:2.3:a:libcurl:libcurl:7.13.2
    cpe:2.3:a:libcurl:libcurl:7.13.2
  • cpe:2.3:a:libcurl:libcurl:7.14
    cpe:2.3:a:libcurl:libcurl:7.14
  • cpe:2.3:a:libcurl:libcurl:7.14.1
    cpe:2.3:a:libcurl:libcurl:7.14.1
  • cpe:2.3:a:libcurl:libcurl:7.15
    cpe:2.3:a:libcurl:libcurl:7.15
  • cpe:2.3:a:libcurl:libcurl:7.15.1
    cpe:2.3:a:libcurl:libcurl:7.15.1
  • cpe:2.3:a:libcurl:libcurl:7.15.2
    cpe:2.3:a:libcurl:libcurl:7.15.2
  • cpe:2.3:a:libcurl:libcurl:7.15.3
    cpe:2.3:a:libcurl:libcurl:7.15.3
  • cpe:2.3:a:libcurl:libcurl:7.16.3
    cpe:2.3:a:libcurl:libcurl:7.16.3
CVSS
Base: 7.5 (as of 14-08-2009 - 12:29)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1158-1.NASL
    description Richard Silverman discovered that when doing GSSAPI authentication, libcurl unconditionally performs credential delegation, handing the server a copy of the client's security credential. (CVE-2011-2192) Wesley Miaw discovered that when zlib is enabled, libcurl does not properly restrict the amount of callback data sent to an application that requests automatic decompression. This might allow an attacker to cause a denial of service via an application crash or possibly execute arbitrary code with the privilege of the application. This issue only affected Ubuntu 8.04 LTS and Ubuntu 10.04 LTS. (CVE-2010-0734) USN 818-1 fixed an issue with curl's handling of SSL certificates with zero bytes in the Common Name. Due to a packaging error, the fix for this issue was not being applied during the build. This issue only affected Ubuntu 8.04 LTS. We apologize for the error. (CVE-2009-2417) Scott Cantor discovered that curl did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 55414
    published 2011-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55414
    title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 : curl vulnerabilities (USN-1158-1)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2009-0016_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 89117
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89117
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2009-0016.NASL
    description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the following security issue. Note that the same security issue is present in the ESX Service Console as described in section d. of this advisory. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. The NTP security issue identified by CVE-2009-0159 is not relevant for ESXi 3.5 and ESXi 4.0. d. Service Console update for ntp Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. The Service Console present in ESX is affected by the following security issues. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. NTP authentication is not enabled by default on the Service Console. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0159 to this issue. e. Updated Service Console package kernel Updated Service Console package kernel addresses the security issues listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028, CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676, CVE-2009-0778 to the security issues fixed in kernel 2.6.18-128.1.6. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337, CVE-2009-0787, CVE-2009-1336 to the security issues fixed in kernel 2.6.18-128.1.10. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072, CVE-2009-1630, CVE-2009-1192 to the security issues fixed in kernel 2.6.18-128.1.14. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the security issues fixed in kernel 2.6.18-128.4.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2692, CVE-2009-2698 to the security issues fixed in kernel 2.6.18-128.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues fixed in kernel 2.6.18-164. f. Updated Service Console package python Service Console package Python update to version 2.4.3-24.el5. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service. Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, crash or, potentially, execute arbitrary code with the Python interpreter's privileges. Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service. An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues. g. Updated Service Console package bind Service Console package bind updated to version 9.3.6-4.P1.el5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the 'ANY' record type. A remote attacker could use this flaw to send a specially crafted dynamic update packet that could cause named to exit with an assertion failure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0696 to this issue. h. Updated Service Console package libxml2 Service Console package libxml2 updated to version 2.6.26-2.1.2.8. libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2414 and CVE-2009-2416 to these issues. i. Updated Service Console package curl Service Console package curl updated to version 7.15.5-2.1.el5_3.5 A cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2417 to this issue j. Updated Service Console package gnutls Service Console package gnutil updated to version 1.4.1-3.el5_3.5 A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2730 to this issue
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 42870
    published 2009-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42870
    title VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
  • NASL family SuSE Local Security Checks
    NASL id SUSE_COMPAT-CURL2-6408.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417) Additionally the arbitrary file access problem was fixed. (CVE-2009-0037)
    last seen 2019-01-16
    modified 2016-12-22
    plugin id 41489
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41489
    title SuSE 10 Security Update : compat-curl2 (ZYPP Patch Number 6408)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2010-002.NASL
    description The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-002 applied. This security update contains fixes for the following products : - AppKit - Application Firewall - AFP Server - Apache - ClamAV - CoreTypes - CUPS - curl - Cyrus IMAP - Cyrus SASL - Disk Images - Directory Services - Event Monitor - FreeRADIUS - FTP Server - iChat Server - Image RAW - Libsystem - Mail - Mailman - OS Services - Password Server - perl - PHP - PS Normalizer - Ruby - Server Admin - SMB - Tomcat - unzip - vim - Wiki Server - X11 - xar
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 45373
    published 2010-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45373
    title Mac OS X Multiple Vulnerabilities (Security Update 2010-002)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200909-20.NASL
    description The remote host is affected by the vulnerability described in GLSA-200909-20 (cURL: Certificate validation error) Scott Cantor reported that cURL does not properly handle fields in X.509 certificates that contain an ASCII NUL (\\0) character. Specifically, the processing of such fields is stopped at the first occurence of a NUL character. This type of vulnerability was recently discovered by Dan Kaminsky and Moxie Marlinspike. Impact : A remote attacker might employ a specially crafted X.509 certificate (that for instance contains a NUL character in the Common Name field) to conduct man-in-the-middle attacks. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 41637
    published 2009-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41637
    title GLSA-200909-20 : cURL: Certificate validation error
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2009-0019.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix CVE-2009-2417 (#516257)
    last seen 2019-01-16
    modified 2017-02-14
    plugin id 79463
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79463
    title OracleVM 2.1 : curl (OVMSA-2009-0019)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBCURL3-6401.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 42012
    published 2009-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42012
    title openSUSE 10 Security Update : libcurl3 (libcurl3-6401)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_CURL-090613.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 40650
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40650
    title openSUSE Security Update : curl (curl-1180)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_CURL-090820.NASL
    description curl did not detect embedded null characters in certificate names. By using specially crafted certificates attackers could exploit that to conduct man in the middle attacks (CVE-2009-2417). Note the previous update that was supposed to fix the issue accidentally lacked the actual fix which was corrected this time.
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 40788
    published 2009-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40788
    title openSUSE Security Update : curl (curl-1232)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12467.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2012-04-23
    plugin id 41317
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41317
    title SuSE9 Security Update : curl (YOU Patch Number 12467)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-818-1.NASL
    description Scott Cantor discovered that Curl did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 40657
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40657
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : curl vulnerability (USN-818-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-203.NASL
    description A vulnerability has been found and corrected in curl : lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '�' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-2417). This update provides a solution to this vulnerability. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 40597
    published 2009-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40597
    title Mandriva Linux Security Advisory : curl (MDVSA-2009:203-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1209.NASL
    description From Red Hat Security Advisory 2009:1209 : Updated curl packages that fix security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Scott Cantor reported that cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) cURL users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications using libcurl must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2015-12-01
    plugin id 67910
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67910
    title Oracle Linux 3 / 4 / 5 : curl (ELSA-2009-1209)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CURL-090807.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2013-10-25
    plugin id 41379
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41379
    title SuSE 11 Security Update : curl (SAT Patch Number 1173)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_CURL-090807.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 40643
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40643
    title openSUSE Security Update : curl (curl-1180)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1869.NASL
    description It was discovered that curl, a client and library to get files from servers using HTTP, HTTPS or FTP, is vulnerable to the 'Null Prefix Attacks Against SSL/TLS Certificates' recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 44734
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44734
    title Debian DSA-1869-1 : curl - insufficient input validation
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090813_CURL_ON_SL3_X.NASL
    description Scott Cantor reported that cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) All running applications using libcurl must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60639
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60639
    title Scientific Linux Security Update : curl on SL3.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1209.NASL
    description Updated curl packages that fix security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Scott Cantor reported that cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) cURL users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications using libcurl must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 40608
    published 2009-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40608
    title RHEL 3 / 4 / 5 : curl (RHSA-2009:1209)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_6_3.NASL
    description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.3. Mac OS X 10.6.3 contains security fixes for the following products : - AFP Server - Apache - CoreAudio - CoreMedia - CoreTypes - CUPS - DesktopServices - Disk Images - Directory Services - Dovecot - Event Monitor - FreeRADIUS - FTP Server - iChat Server - ImageIO - Image RAW - Libsystem - Mail - MySQL - OS Services - Password Server - PHP - Podcast Producer - Preferences - PS Normalizer - QuickTime - Ruby - Server Admin - SMB - Tomcat - Wiki Server - X11
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 45372
    published 2010-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45372
    title Mac OS X 10.6.x < 10.6.3 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1209.NASL
    description Updated curl packages that fix security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. Scott Cantor reported that cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) cURL users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications using libcurl must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 40593
    published 2009-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40593
    title CentOS 3 / 5 : curl (CESA-2009:1209)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CURL-6402.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2012-05-17
    plugin id 41497
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41497
    title SuSE 10 Security Update : curl (ZYPP Patch Number 6402)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090813_CURL_ON_SL5_X.NASL
    description Scott Cantor reported that cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) All running applications using libcurl must be restarted for the update to take effect.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60640
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60640
    title Scientific Linux Security Update : curl on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBCURL2-6404.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 42011
    published 2009-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42011
    title openSUSE 10 Security Update : libcurl2 (libcurl2-6404)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_GNUTLS-6470.NASL
    description This update of gnutls improves the verification of the domain/subject names in a SSL certificate. CVE-2009-2417 has been assigned to this issue.
    last seen 2019-01-16
    modified 2012-05-17
    plugin id 41517
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41517
    title SuSE 10 Security Update : GnuTLS (ZYPP Patch Number 6470)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2009-226-01.NASL
    description New curl packages are available for Slackware 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue.
    last seen 2019-01-16
    modified 2018-11-19
    plugin id 40598
    published 2009-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40598
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 9.1 / current : curl (SSA:2009-226-01)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CURL-6411.NASL
    description This update of libcurl2 fixes the 0-character handling in the subject name of a SSL certificate. This bug could be used to execute an undetected man-in-the-middle-attack. (CVE-2009-2417)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 41994
    published 2009-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41994
    title openSUSE 10 Security Update : curl (curl-6411)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090813_CURL_ON_SL4_X.NASL
    description CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name Scott Cantor reported that cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. (CVE-2009-2417) All running applications using libcurl must be restarted for the update to take effect. Note: This package for SL4 has to be renamed due to poor naming of rpms.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 65043
    published 2013-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65043
    title Scientific Linux Security Update : curl on SL4.x i386/x86_64
oval via4
  • accepted 2013-04-29T04:01:50.518-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
    family unix
    id oval:org.mitre.oval:def:10114
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
    version 24
  • accepted 2014-01-20T04:01:40.013-05:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Chris Coffin
      organization The MITRE Corporation
    definition_extensions
    comment VMware ESX Server 4.0 is installed
    oval oval:org.mitre.oval:def:6293
    description lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
    family unix
    id oval:org.mitre.oval:def:8542
    status accepted
    submitted 2010-03-19T16:57:59.000-04:00
    title VMware curl vulnerability
    version 7
redhat via4
advisories
bugzilla
id 516181
title CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • OR
      • AND
        • comment curl is earlier than 0:7.10.6-10.rhel3
          oval oval:com.redhat.rhsa:tst:20091209002
        • comment curl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090341003
      • AND
        • comment curl-devel is earlier than 0:7.10.6-10.rhel3
          oval oval:com.redhat.rhsa:tst:20091209004
        • comment curl-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090341005
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment curl is earlier than 0:7.12.1-11.1.el4_8.1
          oval oval:com.redhat.rhsa:tst:20091209007
        • comment curl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090341003
      • AND
        • comment curl-devel is earlier than 0:7.12.1-11.1.el4_8.1
          oval oval:com.redhat.rhsa:tst:20091209008
        • comment curl-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090341005
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment curl is earlier than 0:7.15.5-2.1.el5_3.5
          oval oval:com.redhat.rhsa:tst:20091209010
        • comment curl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090341011
      • AND
        • comment curl-devel is earlier than 0:7.15.5-2.1.el5_3.5
          oval oval:com.redhat.rhsa:tst:20091209012
        • comment curl-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090341013
rhsa
id RHSA-2009:1209
released 2009-08-13
severity Moderate
title RHSA-2009:1209: curl security update (Moderate)
rpms
  • curl-0:7.10.6-10.rhel3
  • curl-devel-0:7.10.6-10.rhel3
  • curl-0:7.12.1-11.1.el4_8.1
  • curl-devel-0:7.12.1-11.1.el4_8.1
  • curl-0:7.15.5-2.1.el5_3.5
  • curl-devel-0:7.15.5-2.1.el5_3.5
refmap via4
apple APPLE-SA-2010-03-29-1
bid 36032
bugtraq
  • 20090824 rPSA-2009-0124-1 curl
  • 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
confirm
secunia
  • 36238
  • 36475
  • 37471
  • 45047
ubuntu USN-1158-1
vupen
  • ADV-2009-2263
  • ADV-2009-3316
xf curl-certificate-security-bypass(52405)
Last major update 29-10-2011 - 23:16
Published 14-08-2009 - 11:16
Last modified 10-10-2018 - 15:40
Back to Top