Executive Summary

Informations
Name MDVSA-2014:189 First vendor Publication 2014-09-25
Vendor Mandriva Last vendor Modification 2014-09-25
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been discovered and corrected in Mozilla NSS:

Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates (CVE-2014-1568).

The updated NSPR packages have been upgraded to the latest 4.10.7 version.

The updated NSS packages have been upgraded to the latest 3.17.1 version which is not vulnerable to this issue.

Additionally the rootcerts package has also been updated to the latest version as of 2014-08-05.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:189

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26436
 
Oval ID: oval:org.mitre.oval:def:26436
Title: SUSE-SU-2014:1220-3 -- Security update for mozilla-nss
Description: Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1220-3
CVE-2014-1568
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
Product(s): mozilla-nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26453
 
Oval ID: oval:org.mitre.oval:def:26453
Title: USN-2361-1 -- nss vulnerability
Description: Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet.
Family: unix Class: patch
Reference(s): USN-2361-1
CVE-2014-1568
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26574
 
Oval ID: oval:org.mitre.oval:def:26574
Title: DSA-3033-1 nss - security update
Description: Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library) was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
Family: unix Class: patch
Reference(s): DSA-3033-1
CVE-2014-1568
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26586
 
Oval ID: oval:org.mitre.oval:def:26586
Title: USN-2360-2 -- thunderbird vulnerabilities
Description: Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet.
Family: unix Class: patch
Reference(s): USN-2360-2
CVE-2014-1568
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26709
 
Oval ID: oval:org.mitre.oval:def:26709
Title: SUSE-SU-2014:1220-4 -- Security update for mozilla-nss
Description: Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1220-4
CVE-2014-1568
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): mozilla-nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26725
 
Oval ID: oval:org.mitre.oval:def:26725
Title: RHSA-2014:1307: nss security update (Important)
Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters. All NSS users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, applications using NSS must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:1307-00
CESA-2014:1307
CVE-2014-1568
Version: 5
Platform(s): Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
CentOS Linux 7
CentOS Linux 6
CentOS Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26832
 
Oval ID: oval:org.mitre.oval:def:26832
Title: USN-2360-1 -- firefox vulnerabilities
Description: Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet.
Family: unix Class: patch
Reference(s): USN-2360-1
CVE-2014-1568
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26842
 
Oval ID: oval:org.mitre.oval:def:26842
Title: DSA-3034-1 iceweasel - security update
Description: Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Iceweasel package), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
Family: unix Class: patch
Reference(s): DSA-3034-1
CVE-2014-1568
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): iceweasel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26891
 
Oval ID: oval:org.mitre.oval:def:26891
Title: DSA-3037-1 icedove - security update
Description: Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Icedove), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
Family: unix Class: patch
Reference(s): DSA-3037-1
CVE-2014-1568
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): icedove
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26948
 
Oval ID: oval:org.mitre.oval:def:26948
Title: SUSE-SU-2014:1220-2 -- Security update for mozilla-nss
Description: Mozilla NSS was updated to 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1220-2
CVE-2014-1568
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): mozilla-nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27025
 
Oval ID: oval:org.mitre.oval:def:27025
Title: SUSE-SU-2014:1220-1 -- Security update for mozilla-nss
Description: Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1220-1
CVE-2014-1568
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): mozilla-nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27058
 
Oval ID: oval:org.mitre.oval:def:27058
Title: ELSA-2014-1307 -- nss security update (Important)
Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters. All NSS users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, applications using NSS must be restarted for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014-1307
CVE-2014-1568
Version: 3
Platform(s): Oracle Linux 7
Oracle Linux 5
Oracle Linux 6
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28150
 
Oval ID: oval:org.mitre.oval:def:28150
Title: SUSE-SU-2014:1510-1 -- Security update for MozillaFirefox and mozilla-nss (moderate)
Description: - update to Firefox 31.2.0 ESR (bnc#900941) * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994, bmo#1011354, bmo#1018916, bmo#1020034, bmo#1023035, bmo#1032208, bmo#1033020, bmo#1034230, bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044, bmo#1072174) Miscellaneous memory safety hazards (rv:33.0/rv:31.2) * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API - SSLv3 is disabled by default. See README.POODLE for more detailed information. - disable call home features - update to 3.17.2 (bnc#900941) Bugfix release * bmo#1049435 - Importing an RSA private key fails if p < q * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key * bmo#1078669 - certutil crashes when using the --certVersion parameter - changes from earlier version of the 3.17 branch: update to 3.17.1 (bnc#897890) * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature Forgery in NSS * Change library's signature algorithm default to SHA256 * Add support for draft-ietf-tls-downgrade-scsv * Add clang-cl support to the NSS build system * Implement TLS 1.3: * Part 1. Negotiate TLS 1.3 * Part 2. Remove deprecated cipher suites andcompression. * Add support for little-endian powerpc64 update to 3.17 * required for Firefox 33 New functionality: * When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros * SSL_REUSE_SERVER_ECDHE_KEY Notable Changes: * The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1510-1
CVE-2014-1574
CVE-2014-1575
CVE-2014-1576
CVE-2014-1577
CVE-2014-1578
CVE-2014-1581
CVE-2014-1585
CVE-2014-1586
CVE-2014-1583
CVE-2014-1568
Version: 5
Platform(s): SUSE Linux Enterprise Desktop 12
Product(s): MozillaFirefox
mozilla-nss
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application