ID CVE-2009-3490
Summary GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
References
Vulnerable Configurations
  • GNU wget 1.10
    cpe:2.3:a:gnu:wget:1.10
  • GNU wget 1.10.1
    cpe:2.3:a:gnu:wget:1.10.1
  • GNU wget 1.10.2
    cpe:2.3:a:gnu:wget:1.10.2
  • GNU wget 1.5.3
    cpe:2.3:a:gnu:wget:1.5.3
  • GNU wget 1.6
    cpe:2.3:a:gnu:wget:1.6
  • GNU wget 1.7
    cpe:2.3:a:gnu:wget:1.7
  • GNU wget 1.7.1
    cpe:2.3:a:gnu:wget:1.7.1
  • GNU wget 1.8
    cpe:2.3:a:gnu:wget:1.8
  • GNU wget 1.8.1
    cpe:2.3:a:gnu:wget:1.8.1
  • GNU wget 1.9
    cpe:2.3:a:gnu:wget:1.9
  • GNU wget 1.9.1
    cpe:2.3:a:gnu:wget:1.9.1
  • GNU Wget 1.11.1
    cpe:2.3:a:gnu:wget:1.11.1
  • GNU Wget 1.11.2
    cpe:2.3:a:gnu:wget:1.11.2
  • GNU Wget 1.11.3
    cpe:2.3:a:gnu:wget:1.11.3
  • GNU Wget 1.11
    cpe:2.3:a:gnu:wget:1.11
  • GNU Wget 1.11.4
    cpe:2.3:a:gnu:wget:1.11.4
CVSS
Base: 6.8 (as of 01-10-2009 - 12:36)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_125216-07.NASL
    description SunOS 5.10_x86: wget patch. Date this patch was last updated by Sun : Sep/15/16
    last seen 2019-01-19
    modified 2019-01-18
    plugin id 107924
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107924
    title Solaris 10 (x86) : 125216-07
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1904.NASL
    description Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using HTTP(S) and FTP, is vulnerable to the 'Null Prefix Attacks Against SSL/TLS Certificates' published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 44769
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44769
    title Debian DSA-1904-1 : wget - insufficient input validation
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-11836.NASL
    description - Wed Nov 18 2009 Karsten Hopp 1.12-2 - don't provide /usr/share/info/dir - Tue Nov 17 2009 Karsten Hopp 1.12-1 - update to wget-1.12 - fixes CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42988
    published 2009-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42988
    title Fedora 12 : wget-1.12-2.fc12 (2009-11836)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_125216-04.NASL
    description SunOS 5.10_x86: wget patch. Date this patch was last updated by Sun : Apr/15/11
    last seen 2018-10-31
    modified 2018-10-29
    plugin id 107922
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107922
    title Solaris 10 (x86) : 125216-04
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_125215-05.NASL
    description SunOS 5.10: wget patch. Date this patch was last updated by Sun : Jan/19/15
    last seen 2018-10-27
    modified 2018-10-26
    plugin id 107421
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107421
    title Solaris 10 (sparc) : 125215-05
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_125216-05.NASL
    description SunOS 5.10_x86: wget patch. Date this patch was last updated by Sun : Jan/19/15
    last seen 2018-10-31
    modified 2018-10-29
    plugin id 107923
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107923
    title Solaris 10 (x86) : 125216-05
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200910-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-200910-01 (Wget: Certificate validation error) The vendor reported that Wget does not properly handle Common Name (CN) fields in X.509 certificates that contain an ASCII NUL (\\0) character. Specifically, the processing of such fields is stopped at the first occurrence of a NUL character. This type of vulnerability was recently discovered by Dan Kaminsky and Moxie Marlinspike. Impact : A remote attacker might employ a specially crafted X.509 certificate, containing a NUL character in the Common Name field to conduct man-in-the-middle attacks on SSL connections made using Wget. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 42197
    published 2009-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42197
    title GLSA-200910-01 : Wget: Certificate validation error
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_125215-04.NASL
    description SunOS 5.10: wget patch. Date this patch was last updated by Sun : Apr/15/11
    last seen 2018-10-27
    modified 2018-10-26
    plugin id 107420
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107420
    title Solaris 10 (sparc) : 125215-04
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_125215.NASL
    description SunOS 5.10: wget patch. Date this patch was last updated by Sun : Sep/15/16 This plugin has been deprecated and either replaced with individual 125215 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 42970
    published 2009-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42970
    title Solaris 10 (sparc) : 125215-07 (deprecated)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-842-1.NASL
    description It was discovered that Wget did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42050
    published 2009-10-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42050
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : wget vulnerability (USN-842-1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_125216.NASL
    description SunOS 5.10_x86: wget patch. Date this patch was last updated by Sun : Sep/15/16 This plugin has been deprecated and either replaced with individual 125216 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 42971
    published 2009-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42971
    title Solaris 10 (x86) : 125216-07 (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-11739.NASL
    description - Wed Nov 18 2009 Karsten Hopp 1.12-2 - don't provide /usr/share/info/dir - Tue Nov 17 2009 Karsten Hopp 1.12-1 - update to wget-1.12 - fixes CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name - Fri Aug 21 2009 Tomas Mraz - 1.11.4-5 - rebuilt with new openssl - Mon Jul 27 2009 Fedora Release Engineering - 1.11.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - Wed Feb 25 2009 Fedora Release Engineering - 1.11.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Sun Jan 18 2009 Tomas Mraz 1.11.4-2 - rebuild with new openssl Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42986
    published 2009-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42986
    title Fedora 10 : wget-1.12-2.fc10 (2009-11739)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-11740.NASL
    description - Wed Nov 18 2009 Karsten Hopp 1.12-2 - don't provide /usr/share/info/dir - Tue Nov 17 2009 Karsten Hopp 1.12-1 - update to wget-1.12 - fixes CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name - Fri Aug 21 2009 Tomas Mraz - 1.11.4-5 - rebuilt with new openssl - Mon Jul 27 2009 Fedora Release Engineering - 1.11.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42987
    published 2009-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42987
    title Fedora 11 : wget-1.12-2.fc11 (2009-11740)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1549.NASL
    description From Red Hat Security Advisory 2009:1549 : An updated wget package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GNU Wget is a file retrieval utility that can use HTTP, HTTPS, and FTP. Daniel Stenberg reported that Wget is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake. (CVE-2009-3490) Wget users should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67954
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67954
    title Oracle Linux 3 / 4 / 5 : wget (ELSA-2009-1549)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1549.NASL
    description An updated wget package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GNU Wget is a file retrieval utility that can use HTTP, HTTPS, and FTP. Daniel Stenberg reported that Wget is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake. (CVE-2009-3490) Wget users should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67069
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67069
    title CentOS 3 / 4 / 5 : wget (CESA-2009:1549)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_125215-07.NASL
    description SunOS 5.10: wget patch. Date this patch was last updated by Sun : Sep/15/16
    last seen 2019-01-19
    modified 2019-01-18
    plugin id 107422
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107422
    title Solaris 10 (sparc) : 125215-07
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1549.NASL
    description An updated wget package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GNU Wget is a file retrieval utility that can use HTTP, HTTPS, and FTP. Daniel Stenberg reported that Wget is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake. (CVE-2009-3490) Wget users should upgrade to this updated package, which contains a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 42359
    published 2009-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42359
    title RHEL 3 / 4 / 5 : wget (RHSA-2009:1549)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20091103_WGET_ON_SL3_X.NASL
    description CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name Daniel Stenberg reported that Wget is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake. (CVE-2009-3490)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60690
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60690
    title Scientific Linux Security Update : wget on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-206.NASL
    description A vulnerability has been found and corrected in wget : GNU Wget before 1.12 does not properly handle a '�' (NUL) character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-3490). This update provides a solution to this vulnerability. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 40638
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40638
    title Mandriva Linux Security Advisory : wget (MDVSA-2009:206-1)
oval via4
accepted 2013-04-29T04:11:30.659-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
family unix
id oval:org.mitre.oval:def:11099
status accepted
submitted 2010-07-09T03:56:16-04:00
title GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
version 24
redhat via4
advisories
bugzilla
id 520454
title CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • comment wget is earlier than 0:1.10.2-0.30E.1
      oval oval:com.redhat.rhsa:tst:20091549002
    • comment wget is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20091549003
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • comment wget is earlier than 0:1.10.2-1.el4_8.1
      oval oval:com.redhat.rhsa:tst:20091549005
    • comment wget is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20091549003
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • comment wget is earlier than 0:1.11.4-2.el5_4.1
      oval oval:com.redhat.rhsa:tst:20091549007
    • comment wget is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20091549008
rhsa
id RHSA-2009:1549
released 2009-11-03
severity Moderate
title RHSA-2009:1549: wget security update (Moderate)
rpms
  • wget-0:1.10.2-0.30E.1
  • wget-0:1.10.2-1.el4_8.1
  • wget-0:1.11.4-2.el5_4.1
refmap via4
bid 36205
confirm
mlist
  • [bug-wget] 20090922 Release: GNU Wget 1.12
  • [oss-security] 20090903 More CVE-2009-2408 like issues
  • [oss-security] 20090923 Re: More CVE-2009-2408 like issues
  • [wget-notify] 20090805 [bug #27183] Wget likely suffers from the \0 SSL cert vulnerability
secunia 36540
vupen ADV-2009-2498
Last major update 07-12-2016 - 22:01
Published 30-09-2009 - 11:30
Last modified 18-09-2017 - 21:29
Back to Top