Executive Summary

Summary
Title Sun Alert 273590 Security Vulnerability in wget(1) Related to Certificate Parsing may Allow Encrypted HTTP Communication to be Intercepted Using a Man-in-the-Middle (MITM) Attack
Informations
Name SUN-273590 First vendor Publication 2009-12-02
Vendor Sun Last vendor Modification 2009-12-02
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 9, Solaris 10, OpenSolaris

A security vulnerability in the wget(1) command shipped with Solaris may allow a local or remote unprivileged user who provides a specially crafted certificate signed by a legitimate Certification Authority to intercept encrypted HTTP (HTTPS) communication between the wget(1) client and a web server using a man-in-the-middle (MITM) attack.

Additional information regarding this issue is available at:
State: Workaround
First released: 02-Dec-2009
Sun Alert Link:http://sunsolve.sun.com/search/document.do?assetkey=1-66-273590-1

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_273590_security_vulnerability

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11099
 
Oval ID: oval:org.mitre.oval:def:11099
Title: GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Description: GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Family: unix Class: vulnerability
Reference(s): CVE-2009-3490
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13580
 
Oval ID: oval:org.mitre.oval:def:13580
Title: DSA-1904-1 wget -- insufficient input validation
Description: Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using http and ftp, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. For the oldstable distribution, this problem has been fixed in version 1.10.2-2+etch1. For the stable distribution, this problem has been fixed in version 1.11.4-2+lenny1. For the testing distribution, this problem will be fixed soon. For the unstable distribution, this problem has been fixed in version 1.12-1. We recommend that you upgrade your wget packages.
Family: unix Class: patch
Reference(s): DSA-1904-1
CVE-2009-3490
 Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13815
 
Oval ID: oval:org.mitre.oval:def:13815
Title: USN-842-1 -- wget vulnerability
Description: It was discovered that Wget did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
Family: unix Class: patch
Reference(s): USN-842-1
CVE-2009-3490
 Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 9.04
Ubuntu 6.06
Ubuntu 8.10
 Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22911
 
Oval ID: oval:org.mitre.oval:def:22911
Title: ELSA-2009:1549: wget security update (Moderate)
Description: GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Family: unix Class: patch
Reference(s): ELSA-2009:1549-01
CVE-2009-3490
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:29275
 
Oval ID: oval:org.mitre.oval:def:29275
Title: RHSA-2009:1549 -- wget security update (Moderate)
Description: An updated wget package that fixes a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. GNU Wget is a file retrieval utility that can use HTTP, HTTPS, and FTP. Daniel Stenberg reported that Wget is affected by the previously published null prefix attack, caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake. (CVE-2009-3490) Wget users should upgrade to this updated package, which contains a backported patch to correct this issue.
Family: unix Class: patch
Reference(s): RHSA-2009:1549
CESA-2009:1549-CentOS 3
CESA-2009:1549-CentOS 5
CVE-2009-3490
 Version: 3
Platform(s): Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 3
CentOS Linux 5
 Product(s): wget
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7910
 
Oval ID: oval:org.mitre.oval:def:7910
Title: DSA-1904 wget -- insufficient input validation
Description: Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using HTTP(S) and FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.
Family: unix Class: patch
Reference(s): DSA-1904
CVE-2009-3490
 Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): wget
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 18

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for wget CESA-2009:1549 centos3 i386
File : nvt/gb_CESA-2009_1549_wget_centos3_i386.nasl
2011-08-09 Name : CentOS Update for wget CESA-2009:1549 centos4 i386
File : nvt/gb_CESA-2009_1549_wget_centos4_i386.nasl
2011-08-09 Name : CentOS Update for wget CESA-2009:1549 centos5 i386
File : nvt/gb_CESA-2009_1549_wget_centos5_i386.nasl
2009-12-10 Name : Fedora Core 10 FEDORA-2009-11739 (wget)
File : nvt/fcore_2009_11739.nasl
2009-12-10 Name : Fedora Core 11 FEDORA-2009-11740 (wget)
File : nvt/fcore_2009_11740.nasl
2009-12-10 Name : Fedora Core 12 FEDORA-2009-11836 (wget)
File : nvt/fcore_2009_11836.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:206-1 (wget)
File : nvt/mdksa_2009_206_1.nasl
2009-11-11 Name : RedHat Security Advisory RHSA-2009:1549
File : nvt/RHSA_2009_1549.nasl
2009-11-11 Name : CentOS Security Advisory CESA-2009:1549 (wget)
File : nvt/ovcesa2009_1549.nasl
2009-10-27 Name : Gentoo Security Advisory GLSA 200910-01 (wget)
File : nvt/glsa_200910_01.nasl
2009-10-13 Name : Debian Security Advisory DSA 1904-1 (wget)
File : nvt/deb_1904_1.nasl
2009-10-13 Name : Ubuntu USN-842-1 (wget)
File : nvt/ubuntu_842_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
57632 GNU wget X.509 Certificate Authority (CA) Common Name Null Byte Handling SSL ...

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2009-1549.nasl - Type : ACT_GATHER_INFO
2013-06-29 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2009-1549.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing a security update.
File : sl_20091103_wget_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1904.nasl - Type : ACT_GATHER_INFO
2009-12-03 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11739.nasl - Type : ACT_GATHER_INFO
2009-12-03 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11740.nasl - Type : ACT_GATHER_INFO
2009-12-03 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11836.nasl - Type : ACT_GATHER_INFO
2009-12-02 Name : The remote host is missing Sun Security Patch number 125215-07
File : solaris10_125215.nasl - Type : ACT_GATHER_INFO
2009-12-02 Name : The remote host is missing Sun Security Patch number 125216-07
File : solaris10_x86_125216.nasl - Type : ACT_GATHER_INFO
2009-11-04 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2009-1549.nasl - Type : ACT_GATHER_INFO
2009-10-22 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200910-01.nasl - Type : ACT_GATHER_INFO
2009-10-07 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-842-1.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2009-206.nasl - Type : ACT_GATHER_INFO