ASA-2019-00447 – Mozilla Firefox: PKCS#1 v1.5 signatures can be used for TLS 1.3


Allele Security Alert

ASA-2019-00447

Identifier(s)

ASA-2019-00447, CVE-2019-11727, MFSA2019-21

Title

PKCS#1 v1.5 signatures can be used for TLS 1.3

Vendor(s)

Mozilla Foundation

Product(s)

Mozilla Firefox

Affected version(s)

Mozilla Firefox version before 68

Fixed version(s)

Mozilla Firefox version 68

Proof of concept

Unknown

Description

A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.

Technical details

Unknown

Credits

Hubert Kario

Reference(s)

Mozilla Foundation Security Advisory 2019-21
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727

Bug 1552208
https://bugzilla.mozilla.org/show_bug.cgi?id=1552208

CVE-2019-11727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727

CVE-2019-11727
https://nvd.nist.gov/vuln/detail/CVE-2019-11727

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 18, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.