ISS X-Force Database: mozilla-certificate-dos(16706): Mozilla/Firefox certificate denial of service

Mozilla/Firefox certificate denial of service

mozilla-certificate-dos (16706)

Low Risk

Description:

Mozilla and Firefox are vulnerable to a denial of service attack. A remote attacker could create a specially-crafted certificate with the same Distinguished Name (DN) as a built-in root Certificate Authority (CA) certificate and import the malicious certificate to the victim's certificate store, without the victim's knowledge. This prevents the victim from gaining access to a legitimate Secure Sockets Layer (SSL) Web site that contains a root CA with the same DN as the malicious root certificate in the victim's certificate store. An attacker could exploit this vulnerability by hosting the malicious certificate on a Web site or by sending it to a victim as an HTML email.

Platforms Affected:

Conectiva, Linux 10
Conectiva, Linux 9.0
Gentoo, Linux
Mozilla, Firefox 0.8
Mozilla, Firefox 0.9.2
Mozilla, Mozilla 1.6
Mozilla, Mozilla 1.7
Mozilla, Mozilla 1.7.1
RedHat, Enterprise Linux 2.1 AW
RedHat, Enterprise Linux 2.1 WS
RedHat, Enterprise Linux 2.1 AS
RedHat, Enterprise Linux 2.1 ES
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 3 WS
RedHat, Linux Advanced Workstation 2.1 Itanium
Slackware, Slackware Linux 10.0
Slackware, Slackware Linux 9.1
Slackware, Slackware Linux current
Sun, JDS 2003
Sun, JDS Release 2
Sun, Solaris 8
Sun, Solaris 9
SuSE, Linux Enterprise Server 8
SuSE, Linux Enterprise Server 9
SuSE, SuSE Linux 8.1
SuSE, SuSE Linux 8.2
SuSE, SuSE Linux 9.0
SuSE, SuSE Linux 9.1
SuSE, SuSE Linux Desktop 1.0
SuSE, SuSE SLES 9

Remedy:

For Red Hat Linux:
Upgrade to the latest mozilla package, as listed below. Refer to RHSA-2004:421-17 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 1.4.3-2.1.2 or later
Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 1.4.3-3.0.2.x86_64 or later

For Slackware Linux:
Upgrade to the latest mozilla package, as listed below. Refer to slackware-security Mailing List, Tue, 10 Aug 2004 14:17:12 -0700 (PDT) for more information. See References.

Slackware Linux 9.1: 1.4.3-i486-1 or later
Slackware Linux 10.0 and -current: 1.7.2-i486-1 or later

For Gentoo Linux:
Upgrade to the latest version of mozilla, as listed in GLSA 200408-22. See References.

For SuSE Linux:
Apply the update for this vulnerability, as listed in SuSE Security Announcement SUSE-SA:2004:036. See References.

For Conectiva Linux:
Upgrade to the latest mozilla package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:877 for more information. See References.

Conectiva Linux 10.0: 1.7.3-60868U10_1cl or later
Conectiva Linux 9: 1.7.3-27852U90_4cl or later

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57701 for more information. See References.

SPARC
Solaris 8: 117765-02 or later
Solaris 9: 117767-02 or later

x86 Platform
Solaris 8: 117766-02 or later
Solaris 9: 117768-02 or later

Linux
Sun Java Desktop System (JDS) 2003: 118937-01 or later
Sun Java Desktop System (JDS) Release 2: 118492-02 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

CIAC Information Bulletin P-069, Sun - Multiple Mozilla Vulnerabilities at http://www.ciac.org/ciac/bulletins/p-069.shtml.
Conectiva Linux Security Announcement CLSA-2004:877, New upstream for mozilla at http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000877.
Mozilla Bugzilla Bug 249004, Overriding built-in certificate leading to error -8182 (DoS), especially exploitable by email at http://bugzilla.mozilla.org/show_bug.cgi?id=249004.
Slackware Security Advisories Tue, 10 Aug 2004 14:17:12 -0700 (PDT), [slackware-security] Mozilla (SSA:2004-223-01) at http://slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.667659.
Sun Alert ID: 57701, Multiple Security Vulnerabilities in Mozilla at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57701-1&searchclause=%22category:security%22%20%22availability,%20security%22.
BID-10703: Mozilla Personal Security Manager Certificate Handling Denial Of Service Vulnerability
BID-15495: SCO OpenServer Release 5.0.7 Maintenance Pack 4 Released - Multiple Vulnerabilities Fixed
CVE-2004-0758: Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.
GLSA-200408-22: Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities
RHSA-2004-421: mozilla security update
SUSE-SA:2004:030: apache2: remote DoS condition
SUSE-SA:2004:031: cups: remote code execution
SUSE-SA:2004:032: apache2: remote denial-of-service
SUSE-SA:2004:033: gtk2 gdk-pixbuf: remote code execution
SUSE-SA:2004:034: XFree86-libs xshared: remote command execution
SUSE-SA:2004:035: samba: remote file disclosure
SUSE-SA:2004:036: mozilla: various vulnerabilities
US-CERT VU#784278: Mozilla fails to validate the DN of X.509 certificates

Reported:

Jul 16, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page