Sign-up

ID

VAR-200906-0055


CVE

CVE-2009-0958


TITLE

Apple iPhone OS Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2009-001847

DESCRIPTION

Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 stores an exception for a hostname when the user accepts an untrusted Exchange server certificate, which causes it to be accepted without prompting in future usage and allows remote Exchange servers to obtain sensitive information such as credentials. Apple iPhone and iPod touch are prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow an attacker to perform man-in-the-middle attacks by impersonating a trusted Exchange server. This may allow the attacker to obtain credentials or other sensitive information or give users a false sense of security. Information harvested may aid in further attacks. NOTE: This issue was previously covered in BID 35414 (Apple iPhone and iPod touch Prior to Version 3.0 Multiple Vulnerabilities), but has been assigned its own record to better document it

Trust: 2.25

sources: NVD: CVE-2009-0958 // JVNDB: JVNDB-2009-001847 // BID: 35414 // BID: 35447 // VULHUB: VHN-38404

AFFECTED PRODUCTS

vendor:applemodel:iphone osscope:eqversion:2.0.1

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.5

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.1

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.3

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.0

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.0.2

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.0

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.2

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.1.4

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:2.0.0

Trust: 1.6

vendor:applemodel:iphone osscope:eqversion:1.0.0

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:2.1

Trust: 1.0

vendor:applemodel:ipod touchscope:eqversion:*

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:2.0.2

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:2.2.1

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:2.1.1

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:2.2

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:*

Trust: 1.0

vendor:applemodel:iphone osscope:eqversion:1.0.1

Trust: 1.0

vendor:applemodel:iosscope:eqversion:1.0 to 2.2.1

Trust: 0.8

vendor:applemodel:ios for ipod touchscope:eqversion:1.1 to 2.2.1

Trust: 0.8

vendor:applemodel:ipod touchscope:eqversion:2.2.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.0.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.0.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.4

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.3

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.2

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.1

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:2.0

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:1.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.2.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.0.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.0.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.4

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.3

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.0.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.0.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.2

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:2.0

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1.1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:1

Trust: 0.6

vendor:applemodel:iphonescope:eqversion:0

Trust: 0.6

vendor:applemodel:ipod touchscope:neversion:3.0

Trust: 0.6

vendor:applemodel:iphonescope:neversion:3.0

Trust: 0.6

vendor:applemodel:ipod touchscope:eqversion:0

Trust: 0.3

sources: BID: 35414 // BID: 35447 // JVNDB: JVNDB-2009-001847 // CNNVD: CNNVD-200906-310 // NVD: CVE-2009-0958

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0958
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0958
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200906-310
value: MEDIUM

Trust: 0.6

VULHUB: VHN-38404
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2009-0958
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2009-0958
severity: HIGH
baseScore: 7.1
vectorString: AV:N/AC:M/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-38404
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-38404 // JVNDB: JVNDB-2009-001847 // CNNVD: CNNVD-200906-310 // NVD: CVE-2009-0958

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-38404 // JVNDB: JVNDB-2009-001847 // NVD: CVE-2009-0958

THREAT TYPE

network

Trust: 0.6

sources: BID: 35414 // BID: 35447

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-200906-310

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001847

PATCH
title:HT3639url:http://support.apple.com/kb/HT3639
Trust: 0.8
title:HT3639url:http://support.apple.com/kb/HT3639?viewlocale=ja_JP
Trust: 0.8
title:Apple iPhone Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=203145
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2009-001847 // 
            
            
            
            CNNVD: CNNVD-200906-310

EXTERNAL IDS
db:BIDid:35447
Trust: 2.8
db:NVDid:CVE-2009-0958
Trust: 2.8
db:OSVDBid:55236
Trust: 2.5
db:VUPENid:ADV-2009-1621
Trust: 2.5
db:BIDid:35414
Trust: 2.0
db:XFid:51208
Trust: 0.8
db:JVNDBid:JVNDB-2009-001847
Trust: 0.8
db:CNNVDid:CNNVD-200906-310
Trust: 0.6
db:VULHUBid:VHN-38404
Trust: 0.1
sources:
            
            
            VULHUB: VHN-38404 // 
            
            
            
            BID: 35414 // 
            
            
            
            BID: 35447 // 
            
            
            
            JVNDB: JVNDB-2009-001847 // 
            
            
            
            CNNVD: CNNVD-200906-310 // 
            
            
            
            NVD: CVE-2009-0958

REFERENCES
url:http://www.securityfocus.com/bid/35447
Trust: 2.5
url:http://osvdb.org/55236
Trust: 2.5
url:http://www.vupen.com/english/advisories/2009/1621
Trust: 2.5
url:http://support.apple.com/kb/ht3639
Trust: 2.0
url:http://lists.apple.com/archives/security-announce/2009/jun/msg00005.html
Trust: 1.7
url:http://www.securityfocus.com/bid/35414
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/51208
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0958
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/51208
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0958
Trust: 0.8
url:http://www.apple.com/iphone/
Trust: 0.6
url:http://www.apple.com/ipodtouch/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-38404 // 
            
            
            
            BID: 35414 // 
            
            
            
            BID: 35447 // 
            
            
            
            JVNDB: JVNDB-2009-001847 // 
            
            
            
            CNNVD: CNNVD-200906-310 // 
            
            
            
            NVD: CVE-2009-0958

CREDITS
Oskar Lissheim-BoethiusOliver QuasChristian Schmitz
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200906-310

SOURCES
db:VULHUBid:VHN-38404
db:BIDid:35414
db:BIDid:35447
db:JVNDBid:JVNDB-2009-001847
db:CNNVDid:CNNVD-200906-310
db:NVDid:CVE-2009-0958

LAST UPDATE DATE
2024-11-23T20:33:33.117000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-38404date:2017-08-17T00:00:00
db:BIDid:35414date:2009-06-19T23:09:00
db:BIDid:35447date:2015-05-12T19:48:00
db:JVNDBid:JVNDB-2009-001847date:2009-08-06T00:00:00
db:CNNVDid:CNNVD-200906-310date:2022-08-10T00:00:00
db:NVDid:CVE-2009-0958date:2024-11-21T01:01:20.367

SOURCES RELEASE DATE
db:VULHUBid:VHN-38404date:2009-06-19T00:00:00
db:BIDid:35414date:2009-06-17T00:00:00
db:BIDid:35447date:2009-06-17T00:00:00
db:JVNDBid:JVNDB-2009-001847date:2009-08-06T00:00:00
db:CNNVDid:CNNVD-200906-310date:2009-06-19T00:00:00
db:NVDid:CVE-2009-0958date:2009-06-19T16:30:00.203