Vigil@nce: Windows, IE: incorrect validation of X.509
October 2009 by Vigil@nce
An attacker can invite the victim to connect to a SSL site using a
X.509 certificate with a malicious field, in order to deceive the
victim.
Severity: 2/4
Consequences: data reading
Provenance: internet server
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 01/10/2009
Revisions dates: 02/10/2009, 06/10/2009
IMPACTED PRODUCTS
– Microsoft Internet Explorer
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows 7
– Microsoft Windows Vista
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
Internet Explorer uses the CryptoAPI of Windows to manage SSL/TLS
certificates. Other applications use this CryptoAPI, which is
impacted by two vulnerabilities.
When a X.509 certificate contains a null character in the Common
Name field, the CryptoAPI truncates this field. This vulnerability
is similar to VIGILANCE-VUL-8908 (https://vigilance.fr/tree/1/8908),
even if the vulnerable source code is different. [grav:2/4;
BID-36475, CVE-2009-3454]
OIDs (Object IDentifiers) indicate fields of a X.509 certificate.
The "Common Name" field is indicated by the OID 2.5.4.3. The
2.5.4.0003 and 2.5.4.2^64.3 OIDs are invalid. However, the
CryptoAPI recognizes them as 2.5.4.3, and thus interpret them as
the CN. [grav:2/4; BID-36577]
An attacker can therefore invite the victim to connect to a SSL
site using a X.509 certificate with a malicious field, in order to
deceive the victim.
CHARACTERISTICS
Identifiers: BID-36475, BID-36577, CVE-2009-3454,
VIGILANCE-VUL-9060
http://vigilance.fr/vulnerability/Windows-IE-incorrect-validation-of-X-509-9060