CVE-2014-1492

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html

http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html

http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html

http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/59866

http://secunia.com/advisories/60621

http://secunia.com/advisories/60794

http://www.debian.org/security/2014/dsa-2994

http://www.mozilla.org/security/announce/2014/mfsa2014-45.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/66356

http://www.ubuntu.com/usn/USN-2159-1

http://www.ubuntu.com/usn/USN-2185-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

https://bugzilla.mozilla.org/show_bug.cgi?id=903885

https://bugzilla.redhat.com/show_bug.cgi?id=1079851

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

https://hg.mozilla.org/projects/nss/rev/709d4e597979

https://security.gentoo.org/glsa/201504-01

Details

Source: MITRE

Published: 2014-03-25

Updated: 2018-10-09

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:network_security_services:3.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.3.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.4.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.4.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.6.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.3.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.3.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.3.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* versions up to 3.15.5 (inclusive)

Tenable Plugins

View all (39 total)

IDNameProductFamilySeverity
701244Mozilla Firefox ESR < 24.5 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
91202F5 Networks BIG-IP : Multiple Mozilla NSS vulnerabilities (K16716)NessusF5 Networks Local Security Checks
critical
83624SUSE SLES10 Security Update : Mozilla Firefox (SUSE-SU-2014:0727-1)NessusSuSE Local Security Checks
critical
83622SUSE SLES10 Security Update : Mozilla Firefox (SUSE-SU-2014:0665-2)NessusSuSE Local Security Checks
critical
83621SUSE SLES11 Security Update : Mozilla Firefox (SUSE-SU-2014:0665-1)NessusSuSE Local Security Checks
critical
82632GLSA-201504-01 : Mozilla Products: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
82171Debian DLA-23-1 : nss security updateNessusDebian Local Security Checks
high
81942Mandriva Linux Security Advisory : nss (MDVSA-2015:059)NessusMandriva Local Security Checks
critical
78774Oracle OpenSSO Agent Multiple Vulnerabilities (October 2014 CPU)NessusCGI abuses
high
78541Oracle WebLogic Server Multiple Vulnerabilities (October 2014 CPU)NessusMisc.
high
77993CentOS 5 : nss (CESA-2014:1246)NessusCentOS Local Security Checks
critical
77955Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20140916)NessusScientific Linux Local Security Checks
critical
77739Oracle Linux 5 : nspr / nss (ELSA-2014-1246)NessusOracle Linux Local Security Checks
critical
77699RHEL 5 : nss and nspr (RHSA-2014:1246)NessusRed Hat Local Security Checks
critical
77243RHEL 7 : nss, nss-util, nss-softokn (RHSA-2014:1073)NessusRed Hat Local Security Checks
medium
77242Oracle Linux 7 : nss / nss-softokn / nss-util (ELSA-2014-1073)NessusOracle Linux Local Security Checks
medium
77239CentOS 7 : nss / nss-softokn / nss-util (CESA-2014:1073)NessusCentOS Local Security Checks
medium
76950Debian DSA-2994-1 : nss - security updateNessusDebian Local Security Checks
high
76938Oracle Traffic Director Multiple Vulnerabilities (July 2014 CPU)NessusMisc.
high
76702Scientific Linux Security Update : nss and nspr on SL6.x i386/x86_64 (20140722)NessusScientific Linux Local Security Checks
critical
76698RHEL 6 : nss and nspr (RHSA-2014:0917)NessusRed Hat Local Security Checks
critical
76694Oracle Linux 6 : nspr / nss (ELSA-2014-0917)NessusOracle Linux Local Security Checks
critical
76686CentOS 6 : nspr / nss / nss-util (CESA-2014:0917)NessusCentOS Local Security Checks
critical
76593Oracle iPlanet Web Server 7.0.x < 7.0.20 Multiple VulnerabilitiesNessusWeb Servers
high
76592Oracle iPlanet Web Proxy Server 4.0 < 4.0.24 Multiple VulnerabilitiesNessusWindows
high
76591Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU)NessusWeb Servers
high
75352openSUSE Security Update : seamonkey (openSUSE-SU-2014:0629-1)NessusSuSE Local Security Checks
critical
75346openSUSE Security Update : MozillaFirefox (openSUSE-SU-2014:0599-1)NessusSuSE Local Security Checks
critical
74006SuSE 11.3 Security Update : Mozilla Firefox (SAT Patch Number 9185)NessusSuSE Local Security Checks
critical
8214SeaMonkey < 2.26 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
8213Mozilla Firefox < 29.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
73848Fedora 19 : firefox-29.0-5.fc19 / thunderbird-24.5.0-1.fc19 / xulrunner-29.0-1.fc19 (2014-5829)NessusFedora Local Security Checks
critical
73786Ubuntu 12.04 LTS / 12.10 / 13.10 / 14.04 LTS : firefox vulnerabilities (USN-2185-1)NessusUbuntu Local Security Checks
critical
73779FreeBSD : mozilla -- multiple vulnerabilities (985d4d6c-cfbd-11e3-a003-b4b52fce4ce8)NessusFreeBSD Local Security Checks
critical
73771SeaMonkey < 2.26 Multiple VulnerabilitiesNessusWindows
critical
73769Firefox < 29.0 Multiple VulnerabilitiesNessusWindows
critical
73766Firefox < 29.0 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
critical
73316Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : nss vulnerability (USN-2159-1)NessusUbuntu Local Security Checks
medium
73250Slackware 14.0 / 14.1 / current : mozilla-nss (SSA:2014-086-04)NessusSlackware Local Security Checks
medium