FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

serf -- SSL Certificate Null Byte Poisoning

Affected packages
serf < 1.3.7


VuXML ID 69048656-2187-11e4-802c-20cf30e32f6d
Discovery 2014-08-06
Entry 2014-08-11

serf Development list reports:

Serf provides APIs to retrieve information about a certificate. These APIs return the information as NUL terminated strings (commonly called C strings). X.509 uses counted length strings which may include a NUL byte. This means that a library user will interpret any information as ending upon seeing this NUL byte and will only see a partial value for that field.

Attackers could exploit this vulnerability to create a certificate that a client will accept for a different hostname than the full certificate is actually for by embedding a NUL byte in the certificate.

This can lead to a man-in-the-middle attack. There are no known instances of this problem being exploited in the wild and in practice it should be difficult to actually exploit this vulnerability.


CVE Name CVE-2014-3504