Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Thunderbird < 31.1.2 / ESR 24.8.1 RSA Signature Forgery in NSS

High

Synopsis

The remote host is running a mail client that is vulnerable to a critical issue within the Network Security Services (NSS) library.

Description

Versions of Mozilla Thunderbird prior to 31.1.2 (or ESR version 24.8.1) utilize a vulnerable version of the Network Security Services library for cryptographic functionality. The issue occurs from incorrectly check on signature padding, leading to potential signature forgery that can be leveraged for man-in-the-middle attacks over SSL.

Solution

Upgrade to Thunderbird 31.1.2 (or ESR versions 24.8.1), or later.