Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability CVE-2009-2510 CVE-2009-2511

Windows, IE: incorrect validation of X.509

Synthesis of the vulnerability

An attacker can invite the victim to connect to a SSL site using a X.509 certificate with a malicious field, in order to deceive the victim.
Severity: 2/4.
Creation date: 01/10/2009.
Revisions dates: 02/10/2009, 06/10/2009.

Description of the vulnerability

Internet Explorer uses the CryptoAPI of Windows to manage SSL/TLS certificates. Other applications use this CryptoAPI, which is impacted by two vulnerabilities.

When a X.509 certificate contains a null character in the Common Name field, the CryptoAPI truncates this field. This vulnerability is similar to VIGILANCE-VUL-8908, even if the vulnerable source code is different. [severity:2/4; BID-36475, CVE-2009-2510, REJ-2009-3454, >]

OIDs (Object IDentifiers) indicate fields of a X.509 certificate. The "Common Name" field is indicated by the OID 2.5.4.3. The 2.5.4.0003 and 2.5.4.2^64.3 OIDs are invalid. However, the CryptoAPI recognizes them as 2.5.4.3, and thus interpret them as the CN. [severity:2/4; BID-36577, CVE-2009-2511, >]

An attacker can therefore invite the victim to connect to a SSL site using a X.509 certificate with a malicious field, in order to deceive the victim.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: Windows, IE: incorrect validation of X.509.
Keywords: 0003 509 Common CryptoAPI Explorer IDentifiers IDs Name OID OIDs Object REJ-2009-3454 SSL TLS Windows incorrect validation.
Identifiers: 974571, BID-36475, BID-36577, CVE-2009-2510, CVE-2009-2511, MS09-056, REJ-2009-3454, VIGILANCE-VUL-9060.

Information sources

Publications and announces
Source example: MS09-056 - Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : NULL

When a X.509 certificate contains a null character in the Common Name field, the CryptoAPI truncates this field. This vulnerability is similar to VIGILANCE-VUL-8908, even if the vulnerable source code is different.
Severity: 2/4.
Identifiers: BID-36475, CVE-2009-2510, REJ-2009-3454.
Publications and announces
Source example: SSL spoof bug still haunts IE, Safari, Chrome

Vulnerability : OID

OIDs (Object IDentifiers) indicate fields of a X.509 certificate. The "Common Name" field is indicated by the OID 2.5.4.3. The 2.5.4.0003 and 2.5.4.2^64.3 OIDs are invalid. However, the CryptoAPI recognizes them as 2.5.4.3, and thus interpret them as the CN.
Severity: 2/4.
Identifiers: BID-36577, CVE-2009-2511.
Publications and announces
Source example: PKI Layer Cake: New Collision Attacks Against The Global X.509 CA Infrastructure

Attack

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer applications vulnerability



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française