Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Firefox < 43.0.2 RSA-MD5 Collision-based Forgery Weakness (SLOTH)

Medium

Synopsis

The remote host has a web browser installed that may accept MD5 signatures within TLS 1.2.

Description

The version of Firefox is prior to 43.0.2 and is affected by a collision-based forgery vulnerability, known as SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes), in the TLS protocol due to accepting RSA-MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange messages during a TLS handshake. A man-in-the-middle attacker can exploit this, via a transcript collision attack, to impersonate a TLS server. (CVE-2015-7575)

Solution

Upgrade to Firefox 43.0.2 or later.