SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Network Security Services (NSS) Vendors:   Mozilla.org
Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
SecurityTracker Alert ID:  1030899
SecurityTracker URL:  http://securitytracker.com/id/1030899
CVE Reference:   CVE-2014-1568   (Links to External Site)
Date:  Sep 24 2014
Impact:   Disclosure of system information, Disclosure of user information, Modification of authentication information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 3.16.2.1, 3.16.5, 3.17.1
Description:   A vulnerability was reported in Network Security Services (NSS). A remote user can forge digital certificates.

The library does not properly parse ASN.1 values in a digital signature. A user can conduct a Bleichenbacher attack variant against the RSA algorithm to create a forged certificate.

Antoine Delignat-Lavaud of team Prosecco at Inria Paris and the Advanced Threat Research team at Intel Security separately reported this vulnerability.

Impact:   A remote user can forge digital certificates.
Solution:   The vendor has issued a fix (3.16.2.1, 3.16.5, 3.17.1).

The vendor's advisory is available at:

https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

Vendor URL:  www.mozilla.org/security/announce/2014/mfsa2014-73.html (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 24 2014 (Google Issues Fix for Google Chrome) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Google has issued a fix for Google Chrome.
Sep 24 2014 (Mozilla Issues Fix for Mozilla Firefox) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Mozilla has issued a fix for Mozilla Firefox.
Sep 24 2014 (Mozilla Issues Fix for Mozilla Seamonkey) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Mozilla has issued a fix for Mozilla Seamonkey.
Sep 24 2014 (Mozilla Issues Fix for Mozilla Thunderbird) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Mozilla has issued a fix for Mozilla Thunderbird.
Sep 26 2014 (Red Hat Issues Fix) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
Oct 2 2014 (Red Hat Issues Fix for RHEV) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Red Hat has issued a fix for Red Hat Enterprise Virtualization.
Oct 10 2014 (Red Hat Issues Fix) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Red Hat has issued a fix for Red Hat Enterprise Linux 4, 5.6, 5.9, 6.2, and 6.4.
Jan 21 2015 (Oracle Issues Fix for Oracle Communications Messaging Server) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for Oracle Communications Messaging Server.
Jul 15 2015 (Oracle Issues Fix for Oracle Directory Server Enterprise Edition) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Sun has issued an advisory for Oracle Directory Server Enterprise Edition.
Oct 16 2015 (Juniper Issues Fix for Juniper Junos Space) Network Security Services (NSS) ASN.1 Parsing Flaw Lets Remote Users Forge Certificates
Juniper has issued a fix for Juniper Junos Space.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC