PT-2014-1455 · Mozilla+5 · Network Security Services+5

Publicado

2014-03-20

·

Atualizado

2024-12-12

·

CVE-2014-1492

CVSS v2.0

4.3

Média

VetorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.16
Description The issue exists in the cert TestHostName function in lib/certdb/certdb.c, which is part of the certificate-checking implementation. This function accepts a wildcard character embedded in an internationalized domain name's U-label. As a result, it might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate. The exploitation of this issue enables attackers to substitute SSL servers using specially formed certificates.
Recommendations For versions prior to 3.16, update to version 3.16 or later to resolve the issue. As a temporary workaround, consider restricting the use of the cert TestHostName function in lib/certdb/certdb.c until a patch is available.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2014-1618
BDU:2015-00420
BDU:2015-00680
CESA-2014_0917
CESA-2014_1073
CVE-2014-1492
DLA-23-1
DSA-2994-1
MGASA-2014-0137
OPENSUSE-SU-2014_0950-1
OPENSUSE-SU-2014_1100-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10218-1
OPENSUSE-SU-2024:10451-1
OPENSUSE-SU-2024:14572-1
RHSA-2014:0917
RHSA-2014:1073
RHSA-2014:1246
RHSA-2014_0917
RHSA-2014_1073
RHSA-2014_1246
SUSE-SU-2014_0665-1
SUSE-SU-2014_0665-2
SUSE-SU-2014_0727-1
USN-2159-1
USN-2185-1

Produtos afetados

Alt Linux
Centos
Network Security Services
Red Hat
Suse
Ubuntu