Oval Definition:oval:org.mitre.oval:def:5842
Revision Date:2014-08-18Version:49
Title:Null Truncation in X.509 Common Name Vulnerability
Description:The CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, as used by Internet Explorer and other applications, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, aka "Null Truncation in X.509 Common Name Vulnerability," a related issue to CVE-2009-2408.
Family:windowsClass:vulnerability
Status:ACCEPTEDReference(s):CVE-2009-2510
Platform(s):Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s):Microsoft ASN.1 Library
Definition Synopsis
  • Windows 2000
  • Microsoft Windows 2000 is installed
  • AND the version of msasn1.dll is less than 5.0.2195.7334
  • OR Windows XP x86
  • Microsoft Windows XP (32-bit) is installed
  • AND the version of msasn1.dll is less than 5.1.2600.3624
  • OR Windows XP x86
  • Microsoft Windows XP (32-bit) is installed
  • AND the version of msasn1.dll is less than 5.1.2600.5875
  • OR Vulnerable Microsoft Windows XP x64, Windows Server 2003 x86/x64/ia64
  • Operating System Check
  • Microsoft Windows XP x64 is installed
  • OR Microsoft Windows Server 2003 (32-bit) is installed
  • OR Microsoft Windows Server 2003 (x64) is installed
  • OR Microsoft Windows Server 2003 (ia64) Gold is installed
  • AND the version of msasn1.dll is less than 5.2.3790.4584
  • OR Windows Vista x86/x64
  • Operating System Check
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • AND GDR or LDR Service branch
  • the version of msasn1.dll is less than 6.0.6000.16922
  • OR LDR
  • the version of msasn1.dll is greater than or equal 6.0.6000.20000
  • AND the version of msasn1.dll is less than 6.0.6000.21122
  • OR Windows Vista x86/x64, Windows Server 2008 x86/x64/ia64
  • Operating System Check
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND GDR or LDR Service branch
  • the version of msasn1.dll is less than 6.0.6001.18326
  • OR LDR
  • the version of msasn1.dll is greater than or equal 6.0.6001.22000
  • AND the version of msasn1.dll is less than 6.0.6001.22515
  • OR Windows Vista x86/x64, Windows Server 2008 x86/x64/ia64
  • Operating System Check
  • Microsoft Windows Vista (32-bit) is installed
  • OR Microsoft Windows Vista x64 Edition is installed
  • OR Microsoft Windows Server 2008 (32-bit) is installed
  • OR Microsoft Windows Server 2008 (64-bit) is installed
  • OR Microsoft Windows Server 2008 (ia-64) is installed
  • AND GDR or LDR Service branch
  • the version of msasn1.dll is less than 6.0.6002.18106
  • OR LDR
  • the version of msasn1.dll is greater than or equal 6.0.6002.22000
  • AND the version of msasn1.dll is less than 6.0.6002.22218
  • OR Windows 7 x86/x64, Windows Server 2008 R2 x86/x64/ia64
  • Operating System Check
  • Microsoft Windows 7 (32-bit) is installed
  • OR Microsoft Windows 7 x64 Edition is installed
  • OR Microsoft Windows Server 2008 R2 x64 Edition is installed
  • OR Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
  • AND GDR or LDR Service branch
  • the version of msasn1.dll is less than 6.1.7600.16415
  • OR LDR
  • the version of msasn1.dll is greater than or equal 6.1.7600.20000
  • AND the version of msasn1.dll is less than 6.1.7600.20518
    • BACK