The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library.
A vulnerability in some versions of Mozilla NSS could lead to a security bypass. The flaw is a variant of the RSA signature verification vulnerability discovered in 2006. It is caused by an error in the checking of the signature padding, allowing an attacker to forge a signature without the need to know the private RSA keys. Successful exploitation could allow an attacker to bypass SSL authentication in any domain, and intercept and monitor secure traffic.
Mozilla have released an update to resolve this issue and public details have been disclosed.
Mozilla Foundation Security Advisory 2014-73
McAfee Threat Advisory MTIS14-147
No comments:
Post a Comment