Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2006-4340

Disclosure Date: September 15, 2006 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

mozilla

Products

firefox,
network security services,
seamonkey,
thunderbird

References

Canonical

CVE-2006-4340 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4340)

Advisory

SECTRACK-1016858 (http://securitytracker.com/id?1016858)

SECUNIA-22992 (http://secunia.com/advisories/22992)

ADV-2006-3748 (http://www.vupen.com/english/advisories/2006/3748)

SECTRACK-1016859 (http://securitytracker.com/id?1016859)

http://www.redhat.com/support/errata/RHSA-2006-0676.html

SECUNIA-23883 (http://secunia.com/advisories/23883)

ADV-2006-3899 (http://www.vupen.com/english/advisories/2006/3899)

SECUNIA-22044 (http://secunia.com/advisories/22044)

SECUNIA-22055 (http://secunia.com/advisories/22055)

SECUNIA-22195 (http://secunia.com/advisories/22195)

USN-361-1 (http://www.ubuntu.com/usn/usn-361-1)

USN-352-1 (http://www.ubuntu.com/usn/usn-352-1)

SECUNIA-22446 (http://secunia.com/advisories/22446)

SECUNIA-21950 (http://secunia.com/advisories/21950)

USN-351-1 (http://www.ubuntu.com/usn/usn-351-1)

SECUNIA-22025 (http://secunia.com/advisories/22025)

SECUNIA-22056 (http://secunia.com/advisories/22056)

[ietf-openpgp] 20060827 Bleichenbacher's RSA signature forgery based on implementation error (http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html)

TA06-312A (http://www.us-cert.gov/cas/techalerts/TA06-312A.html)

SECUNIA-22247 (http://secunia.com/advisories/22247)

http://www.mandriva.com/security/advisories?name=MDKSA-2006:168

DSA-1191 (http://www.us.debian.org/security/2006/dsa-1191)

ADV-2007-0293 (http://www.vupen.com/english/advisories/2007/0293)

SECUNIA-22210 (http://secunia.com/advisories/22210)

DSA-1210 (http://www.debian.org/security/2006/dsa-1210)

SECUNIA-24711 (http://secunia.com/advisories/24711)

ADV-2006-3622 (http://www.vupen.com/english/advisories/2006/3622)

http://support.avaya.com/elmodocs2/security/ASA-2006-224.htm

SECTRACK-1016860 (http://securitytracker.com/id?1016860)

SECUNIA-22849 (http://secunia.com/advisories/22849)

ADV-2008-0083 (http://www.vupen.com/english/advisories/2008/0083)

SECUNIA-21939 (http://secunia.com/advisories/21939)

ADV-2006-3617 (http://www.vupen.com/english/advisories/2006/3617)

GLSA-200610-06 (http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml)

SECUNIA-21915 (http://secunia.com/advisories/21915)

ADV-2007-1198 (http://www.vupen.com/english/advisories/2007/1198)

http://www.redhat.com/support/errata/RHSA-2006-0677.html

DSA-1192 (http://www.debian.org/security/2006/dsa-1192)

http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm

GLSA-200609-19 (http://security.gentoo.org/glsa/glsa-200609-19.xml)

SSRT061181 (http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00771742)

SECUNIA-22274 (http://secunia.com/advisories/22274)

http://www.redhat.com/support/errata/RHSA-2006-0675.html

SECUNIA-21940 (http://secunia.com/advisories/21940)

XF-mozilla-nss-security-bypass(30098) (https://exchange.xforce.ibmcloud.com/vulnerabilities/30098)

SUNALERT-102648 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1)

SECUNIA-22001 (http://secunia.com/advisories/22001)

20060915 rPSA-2006-0169-1 firefox thunderbird (http://www.securityfocus.com/archive/1/446140/100/0/threaded)

SECUNIA-21903 (http://secunia.com/advisories/21903)

USN-350-1 (http://www.ubuntu.com/usn/usn-350-1)

SECUNIA-21906 (http://secunia.com/advisories/21906)

SECUNIA-22342 (http://secunia.com/advisories/22342)

GLSA-200610-01 (http://security.gentoo.org/glsa/glsa-200610-01.xml)

SECUNIA-22074 (http://secunia.com/advisories/22074)

SECUNIA-22226 (http://secunia.com/advisories/22226)

SECUNIA-22066 (http://secunia.com/advisories/22066)

SECUNIA-22088 (http://secunia.com/advisories/22088)

SECUNIA-21949 (http://secunia.com/advisories/21949)

http://www.novell.com/linux/security/advisories/2006_54_mozilla.html

https://issues.rpath.com/browse/RPL-640

http://www.mozilla.org/security/announce/2006/mfsa2006-66.html

SECUNIA-22036 (http://secunia.com/advisories/22036)

http://www.novell.com/linux/security/advisories/2006_55_ssl.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11007

USN-354-1 (http://www.ubuntu.com/usn/usn-354-1)

SUNALERT-102781 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102781-1)

SECUNIA-22422 (http://secunia.com/advisories/22422)

SECUNIA-22299 (http://secunia.com/advisories/22299)

http://www.mandriva.com/security/advisories?name=MDKSA-2006:169

SECUNIA-21916 (http://secunia.com/advisories/21916)

Miscellaneous

http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere

http://www.mozilla.org/security/announce/2006/mfsa2006-60.html

http://www.matasano.com/log/469/many-rsa-signatures-may-be-forgeable-in-openssl-and-elsewhere/

Rapid7

Technical Analysis