Monday, September 17, 2007 3:02 PM cmosby

National Vulnerability Database (CVE-2007-4879) - Mozilla Firefox 2.0.x can automatically install TLS client certificates with minimal user interaction

 

Vulnerability Summary CVE-2007-4879

Original release date: 9/13/2007
Last revised: 9/17/2007
Source: US-CERT/NIST

Overview

Mozilla Firefox 2.0.x can automatically install TLS client certificates with minimal user interaction, and automatically sends these certificates when requested, which makes it easier for remote web sites to track user activities across domains by requesting the TLS client certificates from other domains.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

External Source: (disclaimer)

Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=395399

External Source: (disclaimer)

Hyperlink: http://0x90.eu/ff_tls_poc.html

Vulnerable software and versions

Configuration 1

− 
Mozilla, Firefox, 2.0 

− 
Mozilla, Firefox, 2.0.0.1 

− 
Mozilla, Firefox, 2.0.0.2 

− 
Mozilla, Firefox, 2.0.0.3 

− 
Mozilla, Firefox, 2.0.0.4 

− 
Mozilla, Firefox, 2.0.0.5 

− 
Mozilla, Firefox, 2.0.0.6 

− 
Mozilla, Firefox, 1.5 

Source: National Vulnerability Database (CVE-2007-4879)

Filed under: , , , ,

Comments

No Comments