mark :: blog

07 Oct 2009: CVE-2009-2408 (NULL in certificate) timeline

There have been quite a few stories over the last couple of weeks about the NULL character certificate flaw, such as this one from The Register.

The stories center around how open source software such as Firefox was able to produce updates to correct this issue just a few days after the Blackhat conference, while Microsoft still hasn't fixed it and are "investigating a possible vulnerability in Windows presented during Black Hat".

But the actual timeline is missing from these stories.

The NULL character certificate flaw (CVE-2009-2408) was actually disclosed by two researchers working independantly who both happened to present the work at the same conference, Blackhat, in July this year. Dan Kaminsky mentioned it as part of a series of PKI flaws he disclosed. Marlinspike had found the same flaw, but was able to demonstrate it in practice by managing to get a trusted Certificate Authority to sign such a malicious certificate.

The flaw was no Blackhat surprise; Dan Kaminsky actually found this issue many months ago and responsibly reported the issues to vendors including Red Hat, Microsoft, and Mozilla. We found out about this issue on 25th February 2009 and worked with Dan and some of the upstream projects on these issues in advance, so we had plenty of time to prepare updates and this is why we were able to have them ready to release just after the disclosure.

Created: 07 Oct 2009
Tagged as: , , ,

2 comments (new comments disabled)

Title: Re: CVE-2009-2408 (NULL in certificate) timeline
Posted by: asdf
Time: Wed, 07 Oct 2009 14:26

It amuses me that "trusted-third parties" can't be trusted to check for illegal characters in the certificates that they issue. There are plenty of other ASCII characters that have no business in CNs (\n \r \b and pretty much everything that isn't actually a display character!). At a very least, anything not a-z,0-9,{.-@/} should produce a big exclamation mark and investigation before issuing. Maybe there is a bug to raise against OpenSSL, and other certificate signing scripts...

Title: Re: CVE-2009-2408 (NULL in certificate) timeline
Posted by: zkp
Time: Tue, 03 Nov 2009 22:27

Marlinspike too found it many months ago one of its published certificates was issued on Feb 24 23:04:17.

Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.