SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Other)  >   Blackberry OS Vendors:   Research In Motion Limited
Blackberry OS NULL Character Flaw in Common Name Field Lets Remote Users Spoof Certficiates
SecurityTracker Alert ID:  1022951
SecurityTracker URL:  http://securitytracker.com/id/1022951
CVE Reference:   CVE-2009-3477   (Links to External Site)
Updated:  Oct 6 2009
Original Entry Date:  Sep 28 2009
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.5.0.173, 4.6.0.303, 4.6.1.309, 4.7.0.179, 4.7.1.57
Description:   A vulnerability was reported in Blackberry OS. A remote user can spoof certificates of arbitrary sites.

A remote user can create a certificate with a specially crafted Common Name field that contains a NULL character. Once the certificate is signed by a Certificate Authority, the certificate can be used to spoof a target site's certificate.

The browser will correctly detect the mismatch between the certificate and the domain name. However, the resulting dialog box to warn the user of the mismatch does not display null characters, which may confuse some users and cause them to connect to the spoofed site.

Mobile Security Lab and CESG separately reported this vulnerability.

Impact:   A remote user can spoof certificates of arbitrary sites.
Solution:   The vendor has issued a fix (4.5.0.173, 4.6.0.303, 4.6.1.309, 4.7.0.179, 4.7.1.57).

The vendor's advisory is available at:

www.blackberry.com/btsc/viewContent.do?externalId=KB19552

Vendor URL:  www.blackberry.com/btsc/viewContent.do?externalId=KB19552 (Links to External Site)
Cause:   Input validation error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 28 Sep 2009 13:32:02 -0400
Subject:  BlackBerry Device Software


> BlackBerry Browser dialog box does not clearly indicate mismatches between web site 
> domain names and associated certificates

http://www.blackberry.com/btsc/viewContent.do?externalId=KB19552

Doc ID : KB19552


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC