Shibboleth Service Provider NULL Character Spoofing Vulnerability (Win) Network Vulnerability

Summary

The host has Shibboleth Service Provider installed and is prone to NULL Character Spoofing vulnerability.

Impact

Successful exploitation could allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate by a legitimate Certification Authority. Impact Level: Application

Solution

Upgrade Shibboleth Service Provider version 1.3.3 or 2.2.1 or later http://shibboleth.internet2.edu/downloads.html

Insight

The flaw exists when using PKIX trust validation. The application does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate.

Affected

Shibboleth Service Provider version 1.3.x before 1.3.3 and 2.x before 2.2.1 on Windows.

References

http://secunia.com/advisories/36861/
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3475
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe Acrobat Sandbox Bypass Vulnerability - Aug14 (Windows)
Adobe Air Code Execution and DoS Vulnerabilities (Windows)
7T Interactive Graphical SCADA System Multiple Security Vulnerabilities
Adobe Air Multiple Vulnerabilities - November12 (Mac OS X)
Adobe AIR Multiple Vulnerabilities-01 Jan15 (Windows)

Take action and discover your vulnerabilities