Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2009-2417

Disclosure Date: August 14, 2009
CVE-2009-2417
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a ‘\0’ character in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • curl,
  • libcurl

Products

  • libcurl 7.10,
  • libcurl 7.10.1,
  • libcurl 7.10.2,
  • libcurl 7.10.3,
  • libcurl 7.10.4,
  • libcurl 7.10.5,
  • libcurl 7.10.6,
  • libcurl 7.10.7,
  • libcurl 7.10.8,
  • libcurl 7.11.0,
  • libcurl 7.11.1,
  • libcurl 7.11.2,
  • libcurl 7.12,
  • libcurl 7.12.0,
  • libcurl 7.12.1,
  • libcurl 7.12.2,
  • libcurl 7.12.3,
  • libcurl 7.13,
  • libcurl 7.13.1,
  • libcurl 7.13.2,
  • libcurl 7.14,
  • libcurl 7.14.1,
  • libcurl 7.15,
  • libcurl 7.15.1,
  • libcurl 7.15.2,
  • libcurl 7.15.3,
  • libcurl 7.16.3,
  • libcurl 7.17.0,
  • libcurl 7.17.1,
  • libcurl 7.18.0,
  • libcurl 7.18.1,
  • libcurl 7.18.2,
  • libcurl 7.19.0,
  • libcurl 7.19.1,
  • libcurl 7.19.2,
  • libcurl 7.19.3,
  • libcurl 7.19.4,
  • libcurl 7.19.5,
  • libcurl 7.4,
  • libcurl 7.4.1,
  • libcurl 7.4.2,
  • libcurl 7.5,
  • libcurl 7.5.1,
  • libcurl 7.5.2,
  • libcurl 7.6,
  • libcurl 7.6.1,
  • libcurl 7.7,
  • libcurl 7.7.1,
  • libcurl 7.7.2,
  • libcurl 7.7.3,
  • libcurl 7.8,
  • libcurl 7.8.1,
  • libcurl 7.9,
  • libcurl 7.9.1,
  • libcurl 7.9.2,
  • libcurl 7.9.3,
  • libcurl 7.9.5,
  • libcurl 7.9.6,
  • libcurl 7.9.7,
  • libcurl 7.9.8

References

Canonical
CVE-2009-2417 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417)
BID-36032 (http://www.securityfocus.com/bid/36032)
Advisory
http://curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patch
20090824 rPSA-2009-0124-1 curl (http://www.securityfocus.com/archive/1/506055/100/0/threaded)
SECUNIA-37471 (http://secunia.com/advisories/37471)
ADV-2009-2263 (http://www.vupen.com/english/advisories/2009/2263)
USN-1158-1 (http://www.ubuntu.com/usn/USN-1158-1)
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
SECUNIA-36238 (http://secunia.com/advisories/36238)
APPLE-SA-2010-03-29-1 (http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html)
XF-curl-certificate-security-bypass(52405) (https://exchange.xforce.ibmcloud.com/vulnerabilities/52405)
http://curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patch
http://wiki.rpath.com/Advisories:rPSA-2009-0124
http://curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patch
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8542
http://curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patch
20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components (http://www.securityfocus.com/archive/1/507985/100/0/threaded)
http://support.apple.com/kb/HT4077
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
SECUNIA-36475 (http://secunia.com/advisories/36475)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10114
http://curl.haxx.se/docs/adv_20090812.txt
SECUNIA-45047 (http://secunia.com/advisories/45047)
http://curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patch
ADV-2009-3316 (http://www.vupen.com/english/advisories/2009/3316)
http://curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patch

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis