Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Issue Alert

Mozilla Network Security Services MD2 Hash Signature Issue

 
Threat Type:IntelliShield: Applied Mitigation Bulletin
IntelliShield ID:18752
Version:22
First Published:2009 July 31 20:40 GMT
Last Published:2011 January 28 17:13 GMT
Port: Not available
CVE:CVE-2007-5707 , CVE-2007-6698 , CVE-2008-0658 , CVE-2008-5161 , CVE-2009-0023 , CVE-2009-1191 , CVE-2009-1195 , CVE-2009-1574 , CVE-2009-1632 , CVE-2009-1890 , CVE-2009-1891 , CVE-2009-1955 , CVE-2009-1956 , CVE-2009-2202 , CVE-2009-2203 , CVE-2009-2285 , CVE-2009-2408 , CVE-2009-2409 , CVE-2009-2411 , CVE-2009-2412 , CVE-2009-2414 , CVE-2009-2416 , CVE-2009-2666 , CVE-2009-2798 , CVE-2009-2799 , CVE-2009-2808 , CVE-2009-2810 , CVE-2009-2818 , CVE-2009-2819 , CVE-2009-2820 , CVE-2009-2823 , CVE-2009-2824 , CVE-2009-2825 , CVE-2009-2826 , CVE-2009-2827 , CVE-2009-2828 , CVE-2009-2829 , CVE-2009-2830 , CVE-2009-2831 , CVE-2009-2832 , CVE-2009-2833 , CVE-2009-2834 , CVE-2009-2835 , CVE-2009-2836 , CVE-2009-2837 , CVE-2009-2838 , CVE-2009-2839 , CVE-2009-2840 , CVE-2009-3111 , CVE-2009-3235 , CVE-2009-3291 , CVE-2009-3292 , CVE-2009-3293
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Harassment
Related Resources:
 
 
Version Summary:BalaBit has released security announcements and software updates to address the Mozilla Network Security Services MD2 hash signature issue.
 
 
Description

Mozilla Network Security Services?(NSS) versions 3.12.2 and prior contain an issue that could allow an unauthenticated, remote attacker to present a malicious digital certificate that a user's browser could accept as valid.

The issue exists because browsers that use NSS will accept a digital certificate that is built using the MD2 hashing algorithm, which has been proven to be insecure.? An unauthenticated, remote attacker could exploit this issue by creating a malicious digital signature using an MD2 hashing algorithm.? A browser that uses NSS could accept the certificate as legitimate.? An exploit could allow other attacks to occur, such as a man-in-the-middle attack.

VeriSign and possibly other vendors have in the past signed root certificates with an MD2 hashing algorithm.? While the MD2 hashing algorithm has been proven to be insecure, this only means that computers are getting powerful enough to take advantage of collisions in the MD2 scheme.??These collisions could allow an attacker to create a malicious digital signature that would be accepted as valid by any client software,?such as a browser, that will accept a certificate signed with an MD2 hashing algorithm. VeriSign took action on May 17, 2009, to remove any of its root certificates that were signed with the MD2 hashing algorithm.? The?MD2 signature was replaced with a SHA-1 signature, which is considered robust at this time.?

Mozilla has confirmed this issue and released updated software.

 
Patches/Software

Mozilla has issued release notes at the following link: NSS 3.12.3.  Mozilla has released updated software at the following link: NSS 3.12.3

Apple has released a security advisory at the following link: Security Update 2009-006 and Mac OS X v10.6.2 Update.  Apple has released updated software at the following links:

Mac OS X v10.6.2 Update
Mac OS X Server v10.6.2 Update
Security Update 2009-006 Server
Security Update 2009-006 Client

BalaBit has released security announcements at the following links: syslog-ng Premium Edition 3.0.6a and syslog-ng Premium Edition 3.2.1a.  BalaBit has released software updates at the following links: 3.0.6a and 3.2.1a

CentOS packages can be updated using the up2date or yum command.

MontaVista Software has re-released a security alert for registered users on January 6, 2010, at the following link: MontaVista Security Fixes.  MontaVista Software has released updated software at the following links:

MVL 5
PRO 5.0.24
PRO 5.0
PRO 4.0.1
CGE 4.0.1
MOBILINUX 5.0.24
MOBILINUX 4.1
MOBILINUX 4.0.2
CGE 5.0
MOBILINUX 5.0

Red Hat has released security advisories at the following links: RHSA-2009:1184-1, RHSA-2009:1186-1, RHSA-2009:1190-1, RHSA-2009:1207-1, RHSA-2009:1432-1, RHSA-2009:1560-1,RHSA-2009:1571-1,RHSA-2009:1584, RHSA-2009:1662,RHSA-2010:0054, RHSA-2010:0163, and RHSA-2010:0166.  Red Hat packages can be updated using the up2date or yum command.

VMware has released security advisories at the following links: VMSA-2010-0001, VMSA-2010-0009, VMSA-2010-0015, and VMSA-2010-0019.  VMware has released updated software at the following links:

ESX 3.5
ESX350-201012401-SG

ESX 4.0
ESX400-200912403-SG
ESX400-201005401-SG
ESX400-201009401-SG

ESX 4.1
ESX410-201010402-SG

vMA 4.0
vMA 4.0 can be updated to Patch 3 using the sudo /usr/sbin/vima-update update command.

 
Impact

An unauthenticated, remote attacker could exploit this issue to present a malicious digital certificate that a user's browser could accept as valid.? The attacker could?take advantage of ?this issue as a part of other attacks, such as a man-in-the-middle attack.

 
Safeguards

Administrators are advised to apply the appropriate updates.

Users are advised not to open e-mail messages from suspicious or unrecognized sources.? If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.

Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

Users should verify that unsolicited links are safe to follow.

 
Alert History
 

Version 21, December 8, 2010, 7:56 PM: VMware has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 20, November 17, 2010, 9:15 AM: VMware has re-released a security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 19, September 30, 2010, 10:52 AM: VMware has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 18, June 1, 2010, 11:32 AM: VMware has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 17, March 29, 2010, 10:32 AM: CentOS has released updated packages to address the Mozilla Network Security Services MD2 hash signature issue.

Version 16, March 26, 2010, 11:03 AM: Red Hat has released additional security advisories and updated packages to address the Mozilla Network Security Services MD2 hash signature issue.

Version 15, March 5, 2010, 8:54 PM: VMware has re-released a security advisory and updated packages to address the Mozilla Network Security Services MD2 hash signature issue.

Version 14, January 21, 2010, 1:28 PM: CentOS has released updated packages to address the Mozilla Network Security Services MD2 hash signature issue.

Version 13, January 20, 2010, 10:52 AM: Red Hat has released a security advisory and updated packages to address the Mozilla Network Security Services MD2 hash signature issue.

Version 12, January 8, 2010, 10:10 AM: VMware and MontaVista Software have released security advisories and updates to address the Mozilla Network Security Services MD2 hash signature issue.

Version 11, December 11, 2009, 2:19 PM: Red Hat has released an additional security alert and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 10, November 18, 2009, 11:25 AM: Red Hat has released an additional security alert and updated software to address the Mozilla Network Security Services MD2 hash signature issue.  CentOS has released updated software.

Version 9, November 17, 2009, 8:11 AM: MontaVista has released a security alert and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 8, November 11, 2009, 8:33 AM: Red Hat has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 7, November 10, 2009, 9:56 AM: Apple has released a security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 6, November 9, 2009, 1:57 PM: Red Hat has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 5, September 10, 2009, 12:14 PM: Red Hat has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 4, August 13, 2009, 10:08 AM: Red Hat has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 3, August 3, 2009, 5:07 PM: Red Hat has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 2, August 3, 2009, 9:50:25 AM: Red Hat has released an additional security advisory and updated software to address the Mozilla Network Security Services MD2 hash signature issue.

Version 1, July 31, 2009, 4:40 PM: Mozilla Network Security Services contains an issue that could allow an unauthenticated, remote attacker to present a malicious digital certificate that a user's browser could accept as valid.  Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
AppleMac OS X 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Base, Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC | 10.5.8 Intel, PPC | 10.6 Intel, PPC | 10.6.1 Intel, PPC
AppleMac OS X Server 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC | 10.5.8 Intel, PPC | 10.6 Intel, PPC | 10.6.1 Intel, PPC
Mozilla FoundationNSS (Network Security Services) 3.10 Base | 3.11 Base, .1, .3, .4 | 3.12 Base, .2

Associated Products:
AppleMac OS X 10.5 | 10.5.1 | 10.5.2 | 10.5.3 | 10.5.4 | 10.5.5 | 10.5.6 | 10.5.7 | 10.5.8 | 10.6 | 10.6.1
AppleMac OS X Server 10.5 | 10.5.1 | 10.5.2 | 10.5.3 | 10.5.4 | 10.5.5 | 10.5.6 | 10.5.7 | 10.5.8 | 10.6 | 10.6.1
BalaBit IT Ltd.syslog-ng 3.0 Base, .1, .2, .3, .4, .5 | 3.2 Base
CentOS ProjectCentOS 3 .0 i386, .0 x86_64 | 4 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64, .6 i386, .6 x86_64, .7 i386, .7 x86_64 | 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64
MontaVistaMontaVista Linux 5 Base | Professional 4.0.1, 5.0, 5.0.24 | Mobilinux 5.0 | CGE 5.0
Red Hat, Inc.Red Hat Desktop 3 i386, x86_64 | 4 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Advanced Server 3 amd64 (x86_64), athlon, em64t (ia32e), i386, i686, ia64, PPC, s390, s390x, ppc64 | 4 IA-32, IA-64, x86_64, PPC, ppc64, s390, s390x | 4.7.z IA-32, IA-64, PPC, s390, s390x, x86_64, ppc64 | 4.8.z IA-32, IA-64, x86_64, PPC, ppc64, s390, s390x
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Supplementary 5.0 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation 5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux Enterprise Server 3 amd64 (x86_64), i386, ia64 | 4 IA-32, IA-64, x86_64 | 4.7.z IA_32, IA_64, x86_64 | 4.8.z IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux EUS (Extended Update Support) 5.2.z IA-32, IA-64, PPC, PPC64, s390x, x86-64 | 5.3.z IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64 | 5.4.z IA-32, IA-64, PPC, PPC64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Extras 4 IA-32, x86_64 | 4.8.z IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 3 amd64 (x86_64), i386, ia64 | 4 IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Network Satellite 5.1 Base
Red Hat, Inc.RHEL Supplementary 5 IA-32, x86_64
Red Hat, Inc.RHEL Supplementary EUS 5.4.z IA-32, x86_64
VMware, Inc.vMA 4.0 Base
VMware, Inc.VMware ESX Server 3.0 .3 | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base | 4.1 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield