ID CVE-2009-2474
Summary neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
References
Vulnerable Configurations
  • cpe:2.3:a:webdav:neon:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.13.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.13.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.15.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.15.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.15.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.16.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.16.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.17.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.17.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.17.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.17.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.18.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.18.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.18.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.18.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.18.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.18.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.18.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.18.5:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.18.5:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.19.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.19.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.19.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.19.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.19.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.19.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.19.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.20.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.20.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.21.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.21.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.21.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.21.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.21.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.21.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.21.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.21.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.22.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.22.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.5:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.5:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.6:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.6:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.7:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.7:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.8:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.8:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.23.9:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.23.9:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.5:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.5:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.6:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.6:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.24.7:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.24.7:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.25.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.25.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.25.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.25.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.25.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.25.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.25.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.25.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.25.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.25.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.26.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.26.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.26.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.26.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.26.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.26.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.26.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.26.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.26.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.26.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.27.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.27.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.27.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.27.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.27.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.27.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.28.0:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.28.0:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.28.1:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.28.1:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.28.2:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.28.2:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.28.3:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.28.3:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:0.28.4:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:0.28.4:*:*:*:*:*:*:*
  • cpe:2.3:a:webdav:neon:*:*:*:*:*:*:*:*
    cpe:2.3:a:webdav:neon:*:*:*:*:*:*:*:*
  • cpe:2.3:a:webvdav:neon:0.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:webvdav:neon:0.15.1:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
oval via4
accepted 2013-04-29T04:15:30.491-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
family unix
id oval:org.mitre.oval:def:11721
status accepted
submitted 2010-07-09T03:56:16-04:00
title neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
version 24
redhat via4
advisories
bugzilla
id 518223
title CVE-2009-2474 neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment neon is earlier than 0:0.24.7-4.el4_8.2
          oval oval:com.redhat.rhsa:tst:20091452002
        • comment neon is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091452003
      • AND
        • comment neon-devel is earlier than 0:0.24.7-4.el4_8.2
          oval oval:com.redhat.rhsa:tst:20091452004
        • comment neon-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091452005
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment neon is earlier than 0:0.25.5-10.el5_4.1
          oval oval:com.redhat.rhsa:tst:20091452007
        • comment neon is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091452008
      • AND
        • comment neon-devel is earlier than 0:0.25.5-10.el5_4.1
          oval oval:com.redhat.rhsa:tst:20091452009
        • comment neon-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091452010
rhsa
id RHSA-2009:1452
released 2009-09-21
severity Moderate
title RHSA-2009:1452: neon security update (Moderate)
rpms
  • neon-0:0.24.7-4.el4_8.2
  • neon-devel-0:0.24.7-4.el4_8.2
  • neon-0:0.25.5-10.el5_4.1
  • neon-devel-0:0.25.5-10.el5_4.1
refmap via4
apple APPLE-SA-2010-11-10-1
bid 36079
confirm http://support.apple.com/kb/HT4435
fedora
  • FEDORA-2009-8794
  • FEDORA-2009-8815
mandriva MDVSA-2009:221
mlist
  • [neon] 20090818 CVE-2009-2474: fix handling of NUL in SSL cert subject names
  • [neon] 20090818 neon: release 0.28.6 (SECURITY)
secunia
  • 36371
  • 36799
ubuntu USN-835-1
vupen ADV-2009-2341
Last major update 19-09-2017 - 01:29
Published 21-08-2009 - 17:30
Back to Top