Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   OS (Other)  >   Blackberry OS Vendors:   Research In Motion Limited
Blackberry OS NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
SecurityTracker Alert ID:  1022951
SecurityTracker URL:
CVE Reference:   CVE-2009-3477   (Links to External Site)
Updated:  Oct 6 2009
Original Entry Date:  Sep 28 2009
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to,,,,
Description:   A vulnerability was reported in Blackberry OS. A remote user can spoof certificates of arbitrary sites.

A remote user can create a certificate with a specially crafted Common Name field that contains a NULL character. Once the certificate is signed by a Certificate Authority, the certificate can be used to spoof a target site's certificate.

The browser will correctly detect the mismatch between the certificate and the domain name. However, the resulting dialog box to warn the user of the mismatch does not display null characters, which may confuse some users and cause them to connect to the spoofed site.

Mobile Security Lab and CESG separately reported this vulnerability.

Impact:   A remote user can spoof certificates of arbitrary sites.
Solution:   The vendor has issued a fix (,,,,

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC