Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Firefox, GnuTLS, OpenSSL, NSPR, NSS, signature with MD2 for X.509

August 2009 by Vigil@nce

An attacker can invite the victim to connect to a SSL site using a
X.509 certificate signed with MD2, in order to deceive the victim.

Severity: 1/4

Consequences: data reading

Provenance: internet server

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 31/07/2009

IMPACTED PRODUCTS

 Mozilla Firefox
 OpenSSL
 Red Hat Enterprise Linux
 Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The MD2 hash algorithm is considered as weak (an attacker with
sufficient resources can create a collision).

However, certificates with a MD2 signature are still allowed by
some cryptographic implementations. An attacker can create a fake
X.509 certificate with a MD2 signature apparently valid for these
software.

An attacker can therefore invite the victim to connect to a SSL
site using a X.509 certificate signed with MD2, in order to
deceive the victim.

CHARACTERISTICS

Identifiers: 510197, CVE-2009-2409, RHSA-2009:1184-01,
RHSA-2009:1186-01, RHSA-2009:1190-01, VIGILANCE-VUL-8909
Pointed by: VIGILANCE-ACTU-1847, VIGILANCE-VUL-8906

http://vigilance.fr/vulnerability/Firefox-GnuTLS-OpenSSL-NSPR-NSS-signature-with-MD2-for-X-509-8909


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts