CVE-2009-3477 | Vulnerability Database | Aqua Security

The Blackberry Browser in RIM BlackBerry Device Software 4.5.0 before 4.5.0.173, 4.6.0 before 4.6.0.303, 4.6.1 before 4.6.1.309, 4.7.0 before 4.7.0.179, and 4.7.1 before 4.7.1.57 does not properly handle hidden characters including a 0 character in a domain name in the subjects Common Name (CN) field of an X.509 certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Affected Software

Name	Vendor	Start Version	End Version
Blackberry_device_software	Rim	4.5.0 (including)	4.5.0 (including)
Blackberry_device_software	Rim	4.6 (including)	4.6 (including)
Blackberry_device_software	Rim	4.6.1 (including)	4.6.1 (including)
Blackberry_device_software	Rim	4.7 (including)	4.7 (including)
Blackberry_device_software	Rim	4.7.1 (including)	4.7.1 (including)

References

http://secunia.com/advisories/36875
http://www.blackberry.com/btsc/viewContent.do?externalId=KB19552
http://www.securityfocus.com/bid/36528
http://www.securitytracker.com/id?1022951
https://exchange.xforce.ibmcloud.com/vulnerabilities/53490

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-3477
CWE	https://cwe.mitre.org/data/definitions/310.html