CVE-2009-2417 - lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle

CVE-2009-2417

Summary

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

References

Vulnerable Configurations

cpe:2.3:a:curl:libcurl:7.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.5.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.5.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.5.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.5.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.7.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.8:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.8:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.8.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.8.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.8:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.9.8:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.8:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.10.8:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.11.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.11.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.11.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.11.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.11.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.11.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.12.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.13:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.13:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.13.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.13.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.13.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.13.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.14:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.14:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.14.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.14.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.15.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.16.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.16.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.17.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.17.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.17.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.17.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.18.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.18.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.18.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.18.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.18.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.18.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.19.5:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12.2:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12.2:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12.3:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12.3:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.13:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.13:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.13.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.13.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.13.2:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.13.2:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.14:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.14:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.14.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.14.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15.2:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15.2:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15.3:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.15.3:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.16.3:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.16.3:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 10-10-2018 - 19:40)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:01:50.518-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10114

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

accepted

2014-01-20T04:01:40.013-05:00

class

vulnerability

contributors

name Pai Peng
organization Hewlett-Packard
name Chris Coffin
organization The MITRE Corporation

definition_extensions

comment	VMware ESX Server 4.0 is installed
oval	oval:org.mitre.oval:def:6293

description

family

unix

oval:org.mitre.oval:def:8542

status

accepted

submitted

2010-03-19T16:57:59.000-04:00

title

VMware curl vulnerability

version

redhat via4

advisories

bugzilla

id	516181
title	CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment curl is earlier than 0:7.12.1-11.1.el4_8.1
oval oval:com.redhat.rhsa:tst:20091209001
comment curl is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20090341002
AND
comment curl-devel is earlier than 0:7.12.1-11.1.el4_8.1
oval oval:com.redhat.rhsa:tst:20091209003
comment curl-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20090341004

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment curl is earlier than 0:7.15.5-2.1.el5_3.5
oval oval:com.redhat.rhsa:tst:20091209006
comment curl is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20090341007
AND
comment curl-devel is earlier than 0:7.15.5-2.1.el5_3.5
oval oval:com.redhat.rhsa:tst:20091209008
comment curl-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20090341009

rhsa

id	RHSA-2009:1209
released	2009-08-13
severity	Moderate
title	RHSA-2009:1209: curl security update (Moderate)

rpms

curl-0:7.10.6-10.rhel3
curl-0:7.12.1-11.1.el4_8.1
curl-0:7.15.5-2.1.el5_3.5
curl-debuginfo-0:7.10.6-10.rhel3
curl-debuginfo-0:7.12.1-11.1.el4_8.1
curl-debuginfo-0:7.15.5-2.1.el5_3.5
curl-devel-0:7.10.6-10.rhel3
curl-devel-0:7.12.1-11.1.el4_8.1
curl-devel-0:7.15.5-2.1.el5_3.5

refmap via4

apple	APPLE-SA-2010-03-29-1
bid	36032
bugtraq	20090824 rPSA-2009-0124-1 curl 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
confirm	http://curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patch http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch http://curl.haxx.se/docs/adv_20090812.txt http://shibboleth.internet2.edu/secadv/secadv_20090817.txt http://support.apple.com/kb/HT4077 http://wiki.rpath.com/Advisories:rPSA-2009-0124 http://www.vmware.com/security/advisories/VMSA-2009-0016.html
secunia	36238 36475 37471 45047
ubuntu	USN-1158-1
vupen	ADV-2009-2263 ADV-2009-3316
xf	curl-certificate-security-bypass(52405)

Last major update

10-10-2018 - 19:40

Published

14-08-2009 - 15:16

Last modified

10-10-2018 - 19:40