Bug 1079851 (CVE-2014-1492) - CVE-2014-1492 nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45)
Summary: CVE-2014-1492 nss: IDNA hostname matching code does not follow RFC 6125 recom...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-1492
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140318,reported=2...
Depends On: 1101846 1113849 1113853 1127892 1127893
Blocks: 1063682 1079858
TreeView+ depends on / blocked
 
Reported: 2014-03-24 07:01 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-08-15 03:48 UTC (History)
9 users (show)

Fixed In Version: nss 3.16
Doc Type: Bug Fix
Doc Text:
It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid.
Clone Of:
Environment:
Last Closed: 2014-09-18 03:05:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0917 normal SHIPPED_LIVE Critical: nss and nspr security, bug fix, and enhancement update 2014-07-22 21:59:48 UTC
Red Hat Product Errata RHSA-2014:1073 normal SHIPPED_LIVE Low: nss, nss-util, nss-softokn security, bug fix, and enhancement update 2014-08-18 16:03:14 UTC
Red Hat Product Errata RHSA-2014:1246 normal SHIPPED_LIVE Moderate: nss and nspr security, bug fix, and enhancement update 2014-09-16 09:39:01 UTC

Description Huzaifa S. Sidhpurwala 2014-03-24 07:01:08 UTC
In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. This was not properly implemented in NSS, as a result it did not handle IDNA domain prefixes according to RFC 6125, section 6.4.3 "Checking of Wildcard Certificates".
http://tools.ietf.org/html/rfc6125#section-6.4.3

Upstream patch:
https://hg.mozilla.org/projects/nss/rev/15ea62260c21
https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55
https://hg.mozilla.org/projects/nss/rev/709d4e597979

Upstream bug (not public):
https://bugzilla.mozilla.org/show_bug.cgi?id=903885

This issue was fixed upstream in NSS 3.16:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

Comment 1 Tomas Hoger 2014-04-24 21:05:47 UTC
The problem here is that NSS did not previously follow recommendation (SHOULD NOT rather than MUST NOT) related to handling of certificates with names including wildcards against IDNA hostnames.

The problem can occur under following conditions:
- user instructs an application with support for internationalized domain names (IDN) to visit a URL containing non-ASCII characters
- server for the domain presents a wildcard certificate with a wildcard label that contains characters followed by *

For example:
- user enters URL: https://bücher.example.de
- URL with unicode character is ASCII encoded as: https://xn--bcher-kva.example.de
- server presents a certificate for name x*.example.de
- NSS versions before 3.16 accept certificate as valid for the specified host even though RFC 6125 section 6.4.3 recommends it SHOULD NOT be accepted

Few other factors that limit impact of this issue:
- use of wildcard certificates that contains label with both normal characters and wildcard character is uncommon, many applications do not support those at all
- anyone able to get a certificate for x*.example.de from a trusted CA is also likely to be able to obtain certificate for *.example.de from the same CA.  Per RFC 6125, applications may accept such certificate when asked to connect to bücher.example.de

This fix is more of a security hardening than a vulnerability fix, especially considering that the cited RFC discourages, but does not forbid previous behavior.

Comment 2 Tomas Hoger 2014-04-24 21:09:31 UTC
Statement:

(none)

Comment 4 Tomas Hoger 2014-04-29 18:51:20 UTC
MFSA for fixes applied to Firefox 29 and Seamonkey 2.26:

http://www.mozilla.org/security/announce/2014/mfsa2014-45.html

Comment 9 errata-xmlrpc 2014-07-22 18:00:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0917 https://rhn.redhat.com/errata/RHSA-2014-0917.html

Comment 10 Martin Prpič 2014-07-28 11:37:12 UTC
IssueDescription:

It was found that the implementation of Internationalizing Domain Names in Applications (IDNA) hostname matching in NSS did not follow the RFC 6125 recommendations. This could lead to certain invalid certificates with international characters to be accepted as valid.

Comment 12 errata-xmlrpc 2014-08-18 12:03:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1073 https://rhn.redhat.com/errata/RHSA-2014-1073.html

Comment 13 errata-xmlrpc 2014-09-16 05:39:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1246 https://rhn.redhat.com/errata/RHSA-2014-1246.html


Note You need to log in before you can comment on or make changes to this bug.