PT-2019-4551 · Mozilla+5 · Firefox+5

Hubert Kario

·

Published

2019-07-09

·

Updated

2024-12-12

·

CVE-2019-11727

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 68
Description The issue is related to an error in the CertificateVerify service of the Network Security Services (NSS), which can be exploited by a remote attacker to impact data integrity. Specifically, it is possible to force NSS to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by the server in CertificateRequest in TLS 1.3, although PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.
Recommendations For versions prior to 68, update to version 68 or later to resolve the issue. As a temporary workaround, consider restricting the use of TLS 1.3 until a patch is available. Avoid using PKCS#1 v1.5 signatures for TLS 1.3 messages in the affected CertificateVerify service.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALT-PU-2019-2301
ALT-PU-2019-2324
ALT-PU-2019-2479
ALT-PU-2019-2486
BDU:2020-00597
CESA-2019_1951
CESA-2020_4076
CVE-2019-11727
MGASA-2019-0213
MGASA-2019-0272
OPENSUSE-SU-2019:2248-1
OPENSUSE-SU-2019:2249-1
OPENSUSE-SU-2019:2251-1
OPENSUSE-SU-2019:2260-1
OPENSUSE-SU-2019_2248-1
OPENSUSE-SU-2019_2249-1
OPENSUSE-SU-2019_2251-1
OPENSUSE-SU-2019_2260-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:11058-1
OPENSUSE-SU-2024:14572-1
RHSA-2019:1951
RHSA-2019_1951
RHSA-2020:4076
RHSA-2020_4076
SUSE-SU-2019:14246-1
SUSE-SU-2019:2515-1
SUSE-SU-2019:2545-1
SUSE-SU-2019:2620-1
SUSE-SU-2019_14246-1
SUSE-SU-2020:14418-1
SUSE-SU-2020_14418-1
USN-4054-1
USN-4054-2
USN-4060-1

Affected Products

Alt Linux
Centos
Firefox
Red Hat
Suse
Ubuntu