PT-2014-1455 · Mozilla+5 · Network Security Services+5

Published

2014-03-20

Updated

2024-12-12

CVE-2014-1492

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.16

Description The issue exists in the cert TestHostName function in lib/certdb/certdb.c, which is part of the certificate-checking implementation. This function accepts a wildcard character embedded in an internationalized domain name's U-label. As a result, it might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate. The exploitation of this issue enables attackers to substitute SSL servers using specially formed certificates.

Recommendations For versions prior to 3.16, update to version 3.16 or later to resolve the issue. As a temporary workaround, consider restricting the use of the cert TestHostName function in lib/certdb/certdb.c until a patch is available.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2014-1618

BDU:2015-00420

BDU:2015-00680

CESA-2014_0917

CESA-2014_1073

CVE-2014-1492

DLA-23-1

DSA-2994-1

MGASA-2014-0137

OPENSUSE-SU-2014_0950-1

OPENSUSE-SU-2014_1100-1

OPENSUSE-SU-2024:10071-1

OPENSUSE-SU-2024:10218-1

OPENSUSE-SU-2024:10451-1

OPENSUSE-SU-2024:14572-1

RHSA-2014:0917

RHSA-2014:1073

RHSA-2014:1246

RHSA-2014_0917

RHSA-2014_1073

RHSA-2014_1246

SUSE-SU-2014_0665-1

SUSE-SU-2014_0665-2

SUSE-SU-2014_0727-1

USN-2159-1

USN-2185-1

Affected Products

Alt Linux

Centos

Network Security Services

Red Hat

Suse

Ubuntu

PT-2014-1455 · Mozilla+5 · Network Security Services+5

CVE-2014-1492

Weakness Enumeration

Related Identifiers

Affected Products

References · 3193