Vigil@nce: cURL, X.509 troncated with null
August 2009 by Vigil@nce
An attacker can invite the victim to connect to a SSL site using a
X.509 certificate with a field containing a null character, in
order to deceive the victim.
Severity: 2/4
Consequences: data reading
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/08/2009
IMPACTED PRODUCTS
– cURL
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Mandriva Multi Network Firewall
– Red Hat Enterprise Linux
– Slackware Linux
DESCRIPTION OF THE VULNERABILITY
The cURL (libcurl) program implements a SSL/TLS client.
When a X.509 certificate contains a null character in the CN
(Common Name) field, cURL truncates this field. This vulnerability
is similar to VIGILANCE-VUL-8908 (https://vigilance.fr/tree/1/8908),
even if the vulnerable source code is different.
An attacker can therefore invite the victim to connect to a SSL
site using a X.509 certificate with a field containing a null
character, in order to deceive the victim.
CHARACTERISTICS
Identifiers: BID-36032, CVE-2009-2417, MDVSA-2009:203,
RHSA-2009:1209-01, SSA:2009-226-01, VIGILANCE-VUL-8947
http://vigilance.fr/vulnerability/cURL-X-509-troncated-with-null-8947