| Vulnerability Name: | CVE-2009-0653 (CCN-9776) | ||||||||
| Assigned: | 2002-08-05 | ||||||||
| Published: | 2002-08-05 | ||||||||
| Updated: | 2009-06-25 | ||||||||
| Summary: | OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970. | ||||||||
| CVSS v3 Severity: | 0.0 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||
| Vulnerability Type: | CWE-287 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: CCN Type: FreeBSD Security Notice FreeBSD-SN-02:05 security issues in ports Source: CCN Type: BugTraq Mailing List, Mon Aug 05 2002 - 18:03:29 CDT IE SSL Vulnerability Source: CCN Type: BugTraq Mailing List, Sat Aug 10 2002 - 22:28:25 CDT TinySSL Vendor Statement: Basic Constraints Vulnerability Source: CCN Type: BugTraq Mailing List, Mon Aug 19 2002 - 09:40:41 CDT Insufficient Verification of Client Certificates in IIS 5.0 pre sp3 Source: CCN Type: VulnWatch Mailing List, Wed Jan 22 2003 - 02:54:35 CST IE chain vulnerability Source: MITRE Type: CNA CVE-2002-0828 Source: MITRE Type: CNA CVE-2002-0862 Source: MITRE Type: CNA CVE-2002-0970 Source: MITRE Type: CNA CVE-2002-1183 Source: MITRE Type: CNA CVE-2002-1407 Source: MITRE Type: CNA CVE-2009-0653 Source: CCN Type: Conectiva Linux Announcement CLSA-2002:519 kde Source: CCN Type: RHSA-2002-220 Updated KDE packages fix security issues Source: CCN Type: RHSA-2002-221 kdelibs security update Source: MISC Type: UNKNOWN http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Marlinspike Source: CCN Type: CIAC Information Bulletin M-121 Microsoft Certificate Validation Vulnerability Source: CCN Type: CIAC Information Bulletin N-020 Red Hat Multiple Vulnerabilities in KDE Source: DEBIAN Type: DSA-155 kdelibs -- privacy escalation with Konqueror Source: CCN Type: KDE Security Advisory 2002-08-18 Konqueror SSL vulnerability Source: CCN Type: Microsoft Security Bulletin MS02-050 Certificate Validation Flaw Could Enable Identity Spoofing (Q328145) Source: CCN Type: Microsoft Security Bulletin MS04-011 Security Update for Microsoft Windows (835732) Source: CCN Type: Microsoft Corporation Web site Information about Reported Web Security Vulnerability August 2002 Source: CCN Type: OSVDB ID: 59725 TinySSL SSL Basic Constraints Intermediate CA-signed Certificate Validation Failure Source: CCN Type: OSVDB ID: 865 Multiple Vendor SSL Basic Constraints Intermediate CA-signed Certificate Validation Failure Source: CCN Type: BID-33837 Mozilla Firefox International Domain Name Subdomain URI Spoofing Vulnerability Source: CCN Type: BID-5410 Multiple Vendor Invalid X.509 Certificate Chain Vulnerability Source: CCN Type: TinySSL Web site TinySSL -- A Lightweight SSL Implementation in Java Source: XF Type: UNKNOWN ssl-ca-certificate-spoofing(9776) Source: CCN Type: Moxie Marlinspike Whitepaper New Tricks For Defeating SSL In Practice Source: MISC Type: Exploit https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||