Vulnerability Name:

CVE-2014-1492

Assigned:2014-03-18
Published:2014-03-18
Updated:2017-11-14
Summary:The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-20
CWE-172
CWE-697
CWE-295
References:Source: CONFIRM
Type: UNKNOWN
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-5829

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:0665

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:0727

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0599

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0629

Source: FULLDISC
Type: UNKNOWN
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Source: SECUNIA
Type: UNKNOWN
60621

Source: SECUNIA
Type: UNKNOWN
60794

Source: DEBIAN
Type: UNKNOWN
DSA-2994

Source: CONFIRM
Type: UNKNOWN
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Source: BUGTRAQ
Type: UNKNOWN
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Source: BID
Type: UNKNOWN
66356

Source: UBUNTU
Type: UNKNOWN
USN-2159-1

Source: UBUNTU
Type: UNKNOWN
USN-2185-1

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.mozilla.org/show_bug.cgi?id=903885

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1079851

Source: CONFIRM
Type: UNKNOWN
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

Source: XF
Type: UNKNOWN
mozilla-nss-cve20141492-unspec(91988)

Source: CONFIRM
Type: PATCH
https://hg.mozilla.org/projects/nss/rev/709d4e597979

Source: GENTOO
Type: UNKNOWN
GLSA-201504-01

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:network_security_services:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.11.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.7:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.8:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.9:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.10:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.12.11:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.14:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.14.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.14.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.14.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.14.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.14.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:network_security_services:3.15.5:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:mozilla:network_security_services:3.14.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:smartcloud_provisioning:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:28.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:2.25:-:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20141492
    V
    CVE-2014-1492
    2018-08-15
    oval:org.mitre.oval:def:26451
    P
    RHSA-2014:1246: nss and nspr security, bug fix, and enhancement update (Moderate)
    2015-04-13
    oval:org.mitre.oval:def:25349
    P
    SUSE-SU-2014:0727-1 -- Security update for Mozilla Firefox
    2015-03-16
    oval:org.mitre.oval:def:25177
    P
    SUSE-SU-2014:0638-1 -- Security update for Mozilla Firefox
    2015-03-16
    oval:org.mitre.oval:def:25501
    P
    SUSE-SU-2014:0665-1 -- Security update for Mozilla Firefox
    2015-03-16
    oval:org.mitre.oval:def:25227
    P
    SUSE-SU-2014:0638-2 -- Security update for Mozilla Firefox
    2015-03-16
    oval:org.mitre.oval:def:25341
    P
    SUSE-SU-2014:0665-2 -- Security update for Mozilla Firefox
    2015-03-16
    oval:org.mitre.oval:def:27117
    P
    ELSA-2014-0917 -- nss and nspr security, bug fix, and enhancement update (critical)
    2014-12-15
    oval:org.mitre.oval:def:27251
    P
    ELSA-2014-1073 -- nss, nss-util, nss-softokn security, bug fix, and enhancement update (low)
    2014-12-15
    oval:org.mitre.oval:def:26119
    P
    ELSA-2014-1246 -- nss and nspr security, bug fix, and enhancement update (Moderate)
    2014-11-17
    oval:org.mitre.oval:def:26703
    P
    RHBA-2014:1047: nss nad nspr bug fix and enhancement update (Moderate)
    2014-10-27
    oval:org.mitre.oval:def:26168
    P
    RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low)
    2014-10-27
    oval:org.mitre.oval:def:26141
    P
    DSA-2994-1 -- nss - security update
    2014-10-06
    oval:org.mitre.oval:def:24541
    V
    Incorrect IDNA domain name matching for wildcard certificates
    2014-10-06
    oval:com.redhat.rhsa:def:20141246
    P
    RHSA-2014:1246: nss and nspr security, bug fix, and enhancement update (Moderate)
    2014-09-16
    oval:org.mitre.oval:def:25116
    P
    RHSA-2014:0917: nss and nspr security, bug fix, and enhancement update (Critical)
    2014-09-08
    oval:com.redhat.rhsa:def:20141073
    P
    RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low)
    2014-08-18
    oval:com.redhat.rhsa:def:20140917
    P
    RHSA-2014:0917: nss and nspr security, bug fix, and enhancement update (Critical)
    2014-07-22
    oval:org.mitre.oval:def:24839
    P
    USN-2185-1 -- firefox vulnerabilities
    2014-07-07
    oval:org.mitre.oval:def:24484
    P
    USN-2159-1 -- nss vulnerability
    2014-07-07
    oval:com.ubuntu.trusty:def:20141492000
    V
    CVE-2014-1492 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-03-25
    oval:com.ubuntu.precise:def:20141492000
    V
    CVE-2014-1492 on Ubuntu 12.04 LTS (precise) - medium.
    2014-03-25
    BACK
    mozilla network security services 3.2
    mozilla network security services 3.2.1
    mozilla network security services 3.3
    mozilla network security services 3.3.1
    mozilla network security services 3.3.2
    mozilla network security services 3.4
    mozilla network security services 3.4.1
    mozilla network security services 3.4.2
    mozilla network security services 3.5
    mozilla network security services 3.6
    mozilla network security services 3.6.1
    mozilla network security services 3.7
    mozilla network security services 3.7.1
    mozilla network security services 3.7.2
    mozilla network security services 3.7.3
    mozilla network security services 3.7.5
    mozilla network security services 3.7.7
    mozilla network security services 3.8
    mozilla network security services 3.9
    mozilla network security services 3.11.2
    mozilla network security services 3.11.3
    mozilla network security services 3.11.4
    mozilla network security services 3.11.5
    mozilla network security services 3.12
    mozilla network security services 3.12.1
    mozilla network security services 3.12.2
    mozilla network security services 3.12.3
    mozilla network security services 3.12.3.1
    mozilla network security services 3.12.3.2
    mozilla network security services 3.12.4
    mozilla network security services 3.12.5
    mozilla network security services 3.12.6
    mozilla network security services 3.12.7
    mozilla network security services 3.12.8
    mozilla network security services 3.12.9
    mozilla network security services 3.12.10
    mozilla network security services 3.12.11
    mozilla network security services 3.14
    mozilla network security services 3.14.1
    mozilla network security services 3.14.2
    mozilla network security services 3.14.3
    mozilla network security services 3.14.4
    mozilla network security services 3.14.5
    mozilla network security services 3.15
    mozilla network security services 3.15.1
    mozilla network security services 3.15.2
    mozilla network security services 3.15.3
    mozilla network security services 3.15.3.1
    mozilla network security services 3.15.4
    mozilla network security services 3.15.5
    mozilla network security services 3.14.1
    redhat enterprise linux 5
    redhat enterprise linux 5
    redhat enterprise linux 5
    ibm san volume controller 6.4
    ibm smartcloud provisioning 2.1.0
    mozilla firefox 28.0
    mozilla seamonkey 2.25 -