PT-2014-4223 · Mozilla+3 · Network Security Services+3

Antoine Delignat-Lavaud

Published

2014-12-03

Updated

2024-06-15

CVE-2014-1569

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.16.2.4 Mozilla Network Security Services (NSS) versions 3.17.x prior to 3.17.3

Description The issue arises from the definite length decoder function in lib/util/quickder.c, which fails to properly validate the DER encoding of an ASN.1 length. This allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding. The SEC QuickDERDecodeItem function improperly handles an arbitrary-length encoding of 0x00.

Recommendations For Mozilla Network Security Services (NSS) versions prior to 3.16.2.4, update to version 3.16.2.4 or later. For Mozilla Network Security Services (NSS) versions 3.17.x prior to 3.17.3, update to version 3.17.3 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2015-1274

CVE-2014-1569

DLA-154-1

DSA-3186-1

MGASA-2014-0507

OPENSUSE-SU-2015_0404-1

OPENSUSE-SU-2024:10451-1

SUSE-SU-2015_0076-1

SUSE-SU-2015_0171-1

SUSE-SU-2015_0173-1

SUSE-SU-2015_0180-1

USN-2452-1

Affected Products

Alt Linux

Network Security Services

Suse

Ubuntu

PT-2014-4223 · Mozilla+3 · Network Security Services+3

CVE-2014-1569

Related Identifiers

Affected Products

References · 125