ID CVE-2009-3767
Summary libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
References
Vulnerable Configurations
  • cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2013-04-29T04:12:05.615-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
    family unix
    id oval:org.mitre.oval:def:11178
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
    version 18
  • accepted 2014-01-20T04:01:33.548-05:00
    class vulnerability
    contributors
    • name Varun
      organization Hewlett-Packard
    • name Chris Coffin
      organization The MITRE Corporation
    definition_extensions
    comment VMware ESX Server 4.0 is installed
    oval oval:org.mitre.oval:def:6293
    description libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
    family unix
    id oval:org.mitre.oval:def:7274
    status accepted
    submitted 2010-10-04T11:07:15.000-05:00
    title VMware ESX, Service Console update for OpenLDAP.
    version 7
redhat via4
advisories
  • bugzilla
    id 562714
    title openldap init script does not handle listen uris properly
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment compat-openldap is earlier than 0:2.3.43_2.2.29-12.el5
          oval oval:com.redhat.rhsa:tst:20100198014
        • comment compat-openldap is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037011
      • AND
        • comment openldap is earlier than 0:2.3.43-12.el5
          oval oval:com.redhat.rhsa:tst:20100198002
        • comment openldap is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037003
      • AND
        • comment openldap-clients is earlier than 0:2.3.43-12.el5
          oval oval:com.redhat.rhsa:tst:20100198004
        • comment openldap-clients is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037005
      • AND
        • comment openldap-devel is earlier than 0:2.3.43-12.el5
          oval oval:com.redhat.rhsa:tst:20100198010
        • comment openldap-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037009
      • AND
        • comment openldap-servers is earlier than 0:2.3.43-12.el5
          oval oval:com.redhat.rhsa:tst:20100198008
        • comment openldap-servers is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037007
      • AND
        • comment openldap-servers-overlays is earlier than 0:2.3.43-12.el5
          oval oval:com.redhat.rhsa:tst:20100198012
        • comment openldap-servers-overlays is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100198013
      • AND
        • comment openldap-servers-sql is earlier than 0:2.3.43-12.el5
          oval oval:com.redhat.rhsa:tst:20100198006
        • comment openldap-servers-sql is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037013
    rhsa
    id RHSA-2010:0198
    released 2010-03-30
    severity Moderate
    title RHSA-2010:0198: openldap security and bug fix update (Moderate)
  • rhsa
    id RHSA-2010:0543
  • rhsa
    id RHSA-2011:0896
rpms
  • compat-openldap-0:2.3.43_2.2.29-12.el5
  • openldap-0:2.3.43-12.el5
  • openldap-clients-0:2.3.43-12.el5
  • openldap-devel-0:2.3.43-12.el5
  • openldap-servers-0:2.3.43-12.el5
  • openldap-servers-overlays-0:2.3.43-12.el5
  • openldap-servers-sql-0:2.3.43-12.el5
  • compat-openldap-0:2.1.30-12.el4_8.3
  • openldap-0:2.2.13-12.el4_8.3
  • openldap-clients-0:2.2.13-12.el4_8.3
  • openldap-devel-0:2.2.13-12.el4_8.3
  • openldap-servers-0:2.2.13-12.el4_8.3
  • openldap-servers-sql-0:2.2.13-12.el4_8.3
refmap via4
apple APPLE-SA-2009-11-09-1
confirm
fedora FEDORA-2010-0752
gentoo GLSA-201406-36
mlist
  • [oss-security] 20090903 More CVE-2009-2408 like issues
  • [oss-security] 20090923 Re: More CVE-2009-2408 like issues
secunia
  • 38769
  • 40677
suse SUSE-SR:2009:016
vupen
  • ADV-2009-3056
  • ADV-2010-1858
statements via4
  • contributor
    lastmodified 2009-10-30
    organization OpenLDAP
    statement OpenLDAP reported this issue and published a patch for it on 2009-07-30. The patch was included in OpenLDAP 2.4.18 which was released on 2009-09-06. The current release of OpenLDAP is available from the following location: http://www.openldap.org/software/download/
  • contributor Tomas Hoger
    lastmodified 2010-07-20
    organization Red Hat
    statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3767 This issue was addressed in the openldap packages as shipped with Red Hat Enterprise Linux 5 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0198.html and https://rhn.redhat.com/errata/RHSA-2010-0543.html respectively. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future openldap update may address this flaw in Red Hat Enterprise Linux 3.
Last major update 19-09-2017 - 01:29
Published 23-10-2009 - 19:30
Back to Top