VDB
CVE-2014-1569
CVE-2014-1569
PUBLISHED
The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.
EPSS 3.64% · 88.1th percentile
Risk Scores
EPSS Score
3.64%
88.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | nss | 0, 2:3.15.1-1ubuntu1, 2:3.15.2-1 |
Exploit Intelligence
- http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf (vulncheck-nvd)
- https://bugzilla.mozilla.org/show_bug.cgi?id=1064670 (vulncheck-nvd)
- https://www.imperialviolet.org/2014/09/26/pkcs1.html (vulncheck-nvd)
- https://www.reddit.com/r/netsec/comments/2hd1m8/rsa_signature_forgery_in_nss/cksnr02 (vulncheck-nvd)
- MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates Vulnerability (0day-today)
- MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates Vulnerability (0day-today)
Timeline
- Dec 15, 2014 CVE Published
- Feb 20, 2019 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Jul 16, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2014-1569 third-party-advisory
- https://www.reddit.com/r/netsec/comments/2hd1m8/rsa_signature_forgery_in_nss/cksnr02 third-party-advisory
- https://www.imperialviolet.org/2014/09/26/pkcs1.html third-party-advisory
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes third-party-advisory
- http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf third-party-advisory
- https://ubuntu.com/security/notices/USN-2452-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2014-1569 third-party-advisory