CVE-2009-2404: Buffer Overflow
First published: Tue Jul 21 2009(Updated: )
A heap overflow flaw was found in a regular expression parser in the NSS library used to match common names in certificates. A malicious site could present a carefully crafted certificate in such a way as to trigger the heap overflow leading to a crash or possibly execute arbitrary code as the user running a browser such as firefox. The overflow happens when the browser checks if the hostname of the site you are visiting matches the Common Name (CN) field of the presented certificate. This check (cert_TestHostName) only happens automatically if the certificate is one that is signed by a Certificate Authority you have previously trusted. If the attacker presents a malicious self-signed certificate, or one signed by an untrusted CA, the user is presented with a dialog box about the certificate before the vulnerable function is called. If the user chooses to accept the certificate then the vulnerable function is called and the heap overflow happens. So this issue does require slightly more user interaction to be exploited. Co-incidentally, the handling of regular expressions for NSS versions 3.12.3 and above was changed to use a different and simpler regular expression routine which is not vulnerable to this issue. Therefore where a system has NSS 3.12.3 installed, it is not vulnerable to this issue by default. (Although it is possible to change Firefox back to use the old vulnerable library it is not something that is expected users to have done, and is not an obvious documented ability) For Red Hat Enterprise Linux 5, Firefox uses the system provided NSS library. This library was updated to a versions greater than 3.12.3 by RHBA-2009:1161 on 20th July 2009. Therefore systems updated to RHBA-2009:1161 are protected by default from this issue. For Red Hat Enterprise Linux 4, Firefox uses the system provided NSS library. This library is due to be updated to a version greater than 3.12.3 and this will probably happen within the week (so before the embargo lifts). For Red Hat Enterprise Linux 3 we do not ship Firefox but instead SeaMonkey which provides the NSS library. SeaMonkey will need updating to correct this issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Network Security Services | =3.12.3 | |
| AOL Instant Messenger | ||
| GNOME Evolution | ||
| Mozilla Firefox | ||
| Mozilla SeaMonkey | ||
| Mozilla Thunderbird | ||
| Pidgin Pidgin |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=512912
- http://www.securityfocus.com/bid/35891
- http://rhn.redhat.com/errata/RHSA-2009-1185.html
- http://secunia.com/advisories/36102
- http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
- http://www.vupen.com/english/advisories/2009/2085
- http://www.mozilla.org/security/announce/2009/mfsa2009-43.html
- http://www.ubuntu.com/usn/usn-810-1
- http://secunia.com/advisories/36125
- http://secunia.com/advisories/36157
- http://secunia.com/advisories/36088
- http://secunia.com/advisories/36139
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:197
- http://www.redhat.com/support/errata/RHSA-2009-1207.html
- http://www.debian.org/security/2009/dsa-1874
- http://secunia.com/advisories/36434
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:216
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1
- http://secunia.com/advisories/39428
- http://www.us-cert.gov/cas/techalerts/TA10-103B.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1
- http://secunia.com/advisories/37098
- http://www.novell.com/linux/security/advisories/2009_48_firefox.html
- http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8658
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11174
- https://usn.ubuntu.com/810-2/
- http://www.goodgearguide.com.au/article/312438/security_certificate_warnings_don_t_work_researchers_say
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=512912#c11
- https://rhn.redhat.com/errata/RHSA-2009-1184.html
- https://rhn.redhat.com/errata/RHSA-2009-1185.html
- https://rhn.redhat.com/errata/RHSA-2009-1186.html
- https://rhn.redhat.com/errata/RHSA-2009-1190.html
- https://rhn.redhat.com/errata/RHSA-2009-1207.html
- collector/nvd-historical
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-2404
- vendor/mozilla
- canonical/mozilla network security services
- version/mozilla network security services/3.12.3
- vendor/aol
- canonical/aol instant messenger
- vendor/gnome
- canonical/gnome evolution
- canonical/mozilla firefox
- canonical/mozilla seamonkey
- canonical/mozilla thunderbird
- vendor/pidgin
- canonical/pidgin pidgin