Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2014-1492

Disclosure Date: March 25, 2014
CVE-2014-1492
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name’s U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • mozilla

Products

  • network security services,
  • network security services 3.11.2,
  • network security services 3.11.3,
  • network security services 3.11.4,
  • network security services 3.11.5,
  • network security services 3.12,
  • network security services 3.12.1,
  • network security services 3.12.10,
  • network security services 3.12.11,
  • network security services 3.12.2,
  • network security services 3.12.3,
  • network security services 3.12.3.1,
  • network security services 3.12.3.2,
  • network security services 3.12.4,
  • network security services 3.12.5,
  • network security services 3.12.6,
  • network security services 3.12.7,
  • network security services 3.12.8,
  • network security services 3.12.9,
  • network security services 3.14,
  • network security services 3.14.1,
  • network security services 3.14.2,
  • network security services 3.14.3,
  • network security services 3.14.4,
  • network security services 3.14.5,
  • network security services 3.15,
  • network security services 3.15.1,
  • network security services 3.15.2,
  • network security services 3.15.3,
  • network security services 3.15.3.1,
  • network security services 3.15.4,
  • network security services 3.2,
  • network security services 3.2.1,
  • network security services 3.3,
  • network security services 3.3.1,
  • network security services 3.3.2,
  • network security services 3.4,
  • network security services 3.4.1,
  • network security services 3.4.2,
  • network security services 3.5,
  • network security services 3.6,
  • network security services 3.6.1,
  • network security services 3.7,
  • network security services 3.7.1,
  • network security services 3.7.2,
  • network security services 3.7.3,
  • network security services 3.7.5,
  • network security services 3.7.7,
  • network security services 3.8,
  • network security services 3.9

References

Canonical
CVE-2014-1492 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492)
BID-66356 (http://www.securityfocus.com/bid/66356)
Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
DSA-2994 (http://www.debian.org/security/2014/dsa-2994)
http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities (http://www.securityfocus.com/archive/1/534161/100/0/threaded)
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
SECUNIA-60621 (http://secunia.com/advisories/60621)
SECUNIA-60794 (http://secunia.com/advisories/60794)
GLSA-201504-01 (https://security.gentoo.org/glsa/201504-01)
SECUNIA-59866 (http://secunia.com/advisories/59866)
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities (http://seclists.org/fulldisclosure/2014/Dec/23)
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
https://hg.mozilla.org/projects/nss/rev/709d4e597979
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
USN-2185-1 (http://www.ubuntu.com/usn/USN-2185-1)
https://bugzilla.redhat.com/show_bug.cgi?id=1079851
USN-2159-1 (http://www.ubuntu.com/usn/USN-2159-1)
FEDORA-2014-5829 (http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html)

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis