[arch-security] [Arch Linux Security Advisory 201409-1] NSS: Signature forgery attack

Remi Gacogne rgacogne-arch at coredump.fr
Thu Sep 25 16:55:29 UTC 2014

Arch Linux Security Advisory 201409-1

Severity: High
Date    : 2014-09-24
CVE-ID  : CVE-2014-1568
Package : nss
Type    : Signature forgery attack
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014


The package nss before version 3.17.1-1 is vulnerable to a signature
forgery attack.


Upgrade to 3.17.1-1.

The problem has been fixed upstream in version 3.17.1.


Antoine Delignat-Lavaud, security researcher at Inria Paris in team
Prosecco, reported an issue in Network Security Services (NSS) libraries
affecting all versions. He discovered that NSS is vulnerable to a
variant of a signature forgery attack previously published by Daniel
Bleichenbacher. This is due to lenient parsing of ASN.1 values involved
in a signature and could lead to the forging of RSA certificates.

The Advanced Threat Research team at Intel Security also independently
discovered and reported this issue.


This vulnerability may allow an attacker to forge false RSA
certificates, considered valid by applications, like Firefox or
Thunderbird, that rely on NSS to valid certificates.
This could for example be used to conduct Man-In-The-Middle attack.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140925/f6adf4f1/attachment.asc>

More information about the arch-security mailing list