Mozilla Thunderbird < 31.1.2 / ESR 24.8.1 RSA Signature Forgery in NSS
High Nessus Network Monitor Plugin ID 8412
SynopsisThe remote host is running a mail client that is vulnerable to a critical issue within the Network Security Services (NSS) library.
DescriptionVersions of Mozilla Thunderbird prior to 31.1.2 (or ESR version 24.8.1) utilize a vulnerable version of the Network Security Services library for cryptographic functionality. The issue occurs from incorrectly check on signature padding, leading to potential signature forgery that can be leveraged for man-in-the-middle attacks over SSL.
SolutionUpgrade to Thunderbird 31.1.2 (or ESR versions 24.8.1), or later.