Data Smuggling Vulnerability in Mozilla Network Security Services
CVE-2014-1569

Currently unrated

Key Information:

Vendor: Mozilla
Status: Network Security Services
Vendor: CVE Published:; 15 December 2014

What is CVE-2014-1569?

The definite_length_decoder function in Mozilla's Network Security Services (NSS) prior to version 3.16.2.4 and 3.17.x before 3.17.3 is susceptible to vulnerabilities due to inadequate verification of the DER encoding format of ASN.1 lengths. This flaw can be exploited by remote attackers through crafted long byte sequences in encoding, potentially enabling data-smuggling attacks. These attacks take advantage of the SEC_QuickDERDecodeItem function's improper management of arbitrary-length encodings, which can lead to serious security implications.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1064670

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2015...

vendor-advisoryx_refsource_SUSE

http://www.oracle.com/technetwork/topics/security/cpujul2...

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2014
Vulnerability Reserved
Jan 16, 2014