CVE-2009-2409

GnuTLS < 2.6.4 - Improper Certificate Validation via MD2 Hash Collision

Title source: llm
STIX 2.1

Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

References (37)

Core 37
Core References
Broken Link x_refsource_confirm
http://support.apple.com/kb/HT3937
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36139
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36157
Not Applicable vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197
Not Applicable vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2009/dsa-1888
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200911-02.xml
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36434
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200912-01.xml
Broken Link vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022631
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42467
Third Party Advisory mailing-list x_refsource_mlist
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1207.html
Broken Link mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/515055/100/0/threaded
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36669
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1432.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-810-1
Not Applicable vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:258
Broken Link vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/810-2/
Release Notes x_refsource_confirm
http://java.sun.com/javase/6/webnotes/6u17.html
Third Party Advisory mailing-list x_refsource_mlist
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3126
Third Party Advisory vendor-advisory x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2010-0095.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3184
Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2010-0019.html
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
Not Applicable vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37386
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2085
Mailing List vendor-advisory x_refsource_debian
http://www.debian.org/security/2009/dsa-1874
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36739

Scores

EPSS 0.0221
EPSS Percentile 84.7%

Details

CWE
CWE-295
Status published
Products (3)
gnu/gnutls < 2.6.4
mozilla/network_security_services < 3.12.3
openssl/openssl 0.9.8 - 0.9.8k
Published Jul 30, 2009
Tracked Since Feb 18, 2026