Bug 1079851 (CVE-2014-1492)
Summary: | CVE-2014-1492 nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | emaldona, gbarros, hkario, jkurik, jrusnack, kdudka, kengert, pfrields, thatsafunnyname |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nss 3.16 | Doc Type: | Bug Fix |
Doc Text: |
It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-18 03:05:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1101846, 1113849, 1113853, 1127892, 1127893 | ||
Bug Blocks: | 1063682, 1079858 |
Description
Huzaifa S. Sidhpurwala
2014-03-24 07:01:08 UTC
The problem here is that NSS did not previously follow recommendation (SHOULD NOT rather than MUST NOT) related to handling of certificates with names including wildcards against IDNA hostnames. The problem can occur under following conditions: - user instructs an application with support for internationalized domain names (IDN) to visit a URL containing non-ASCII characters - server for the domain presents a wildcard certificate with a wildcard label that contains characters followed by * For example: - user enters URL: https://bücher.example.de - URL with unicode character is ASCII encoded as: https://xn--bcher-kva.example.de - server presents a certificate for name x*.example.de - NSS versions before 3.16 accept certificate as valid for the specified host even though RFC 6125 section 6.4.3 recommends it SHOULD NOT be accepted Few other factors that limit impact of this issue: - use of wildcard certificates that contains label with both normal characters and wildcard character is uncommon, many applications do not support those at all - anyone able to get a certificate for x*.example.de from a trusted CA is also likely to be able to obtain certificate for *.example.de from the same CA. Per RFC 6125, applications may accept such certificate when asked to connect to bücher.example.de This fix is more of a security hardening than a vulnerability fix, especially considering that the cited RFC discourages, but does not forbid previous behavior. Statement: (none) MFSA for fixes applied to Firefox 29 and Seamonkey 2.26: http://www.mozilla.org/security/announce/2014/mfsa2014-45.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0917 https://rhn.redhat.com/errata/RHSA-2014-0917.html IssueDescription: It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1073 https://rhn.redhat.com/errata/RHSA-2014-1073.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1246 https://rhn.redhat.com/errata/RHSA-2014-1246.html |