ID

VAR-200909-0256

CVE

CVE-2009-3477

TITLE

RIM BlackBerry Device Software of Blackberry Browser In any SSL Vulnerability impersonating a server

DESCRIPTION

The Blackberry Browser in RIM BlackBerry Device Software 4.5.0 before 4.5.0.173, 4.6.0 before 4.6.0.303, 4.6.1 before 4.6.1.309, 4.7.0 before 4.7.0.179, and 4.7.1 before 4.7.1.57 does not properly handle "hidden" characters including a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. SSL A vulnerability that impersonates a server exists. The problem is CVE-2009-2408 And related issues.An attacker can create any arbitrary certificate through a certificate issued by a regular certificate authority. SSL There is a possibility of impersonating a server. The BlackBerry Device Software browser is prone to a weakness that may cause affected users to trust malicious sites. This issue may potentially lead to other attacks, because users may operate under a false sense of security. This issue affects all versions prior to BlackBerry Device Software 4.5.0.173, 4.6.0.303, 4.6.1.309, 4.7.0.179, and 4.7.1.57. NOTE: This issue affects all built-in browsers installed on BlackBerry devices: BlackBerry Browser Internet Browser WAP Browser Wi-Fi (Hotspot) Browser. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: BlackBerry Devices Insufficient Certificate Warning Security Issue SECUNIA ADVISORY ID: SA36875 VERIFY ADVISORY: http://secunia.com/advisories/36875/ DESCRIPTION: A security issue has been reported in BlackBerry Device Software, which can be exploited by malicious people to potentially conduct spoofing attacks. The security issue is caused due to the dialog box displayed by the browser when a mismatched certificate is detected not showing e.g. NULL ('\0') characters. This can be exploited to potentially trick a user into ignoring the warning dialog box and accept a spoofed certificate containing special characters in the Common Name field. PROVIDED AND/OR DISCOVERED BY: The vendor credits Mobile Security Lab and CESG. ORIGINAL ADVISORY: http://www.blackberry.com/btsc/viewContent.do?externalId=KB19552 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

encryption problem

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Mobile Security Lab and CESG

SOURCES

LAST UPDATE DATE

2025-04-10T23:20:41.617000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE