Summary
This host has Neon installed and is prone to Certificate Spoofing and Denial of Service vulnerability.
Impact
Attacker may leverage this issue to conduct man-in-the-middle attacks to spoof arbitrary SSL servers, and can deny the service by memory or CPU consumption on the affected application.
Impact Level: System/Application
Solution
Upgrade to version 0.28.6 or latest
http://www.webdav.org/neon/
Insight
- When OpenSSL is used, neon does not properly handle a '&qt?&qt' character in a domain name in the 'subject&qts' Common Name (CN) field of an X.509 certificate via a crafted certificate issued by a legitimate Certification Authority.
- When expat is used, neon does not properly detect recursion during entity expansion via a crafted XML document containing a large number of nested entity references.
Affected
WebDAV, Neon version prior to 0.28.6 on Linux.
References
Severity
Classification
-
CVE CVE-2009-2473, CVE-2009-2474 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- COWON Media Center JetAudio .wav File Denial Of Service Vulnerability
- at32 Reverse Proxy Multiple HTTP Header Fields Denial Of Service Vulnerability
- Firebird SQL 'op_connect_request' Denial Of Service Vulnerability (Win)
- Active Perl Denial of Service Vulnerability Feb 2014 (Windows)
- Connect back to SOCKS5 server