Уязвимость спуфинга доменных имен через смешивание символов канадских слоговых знаков и латинских символов в строке адреса
Описание
Символы из блока Unicode "Canadian Syllabics" могут смешиваться с символами из других блоков Unicode в адресной строке, вместо отображения в их исходной форме "punycode", что позволяет проводить атаки с подменой доменных имен через путаницу символов. Текущий стандарт Unicode позволяет смешивать символы из "Aspirational Use Scripts", такие как "Canadian Syllabics", с латинскими символами в "умеренно ограниченном" профиле IDN.
Комментарий
Мы изменили поведение Firefox, чтобы оно соответствовало предстоящей версии Unicode 10.0, которая удаляет эту категорию и рассматривает их как "Limited Use Scripts".
Затронутые версии ПО
- Firefox < 54
- Firefox ESR < 52.2
- Thunderbird < 52.2
Тип уязвимости
Спуфинг
Ссылки
- Third Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- ExploitIssue TrackingVendor Advisory
- Third Party Advisory
- Third Party Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Third Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- ExploitIssue TrackingVendor Advisory
- Third Party Advisory
- Third Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Одно из
Одно из
EPSS
5.3 Medium
CVSS3
5 Medium
CVSS2
Дефекты
Связанные уязвимости
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Characters from the "Canadian Syllabics" unicode block can be mixed wi ...
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Уязвимость браузеров Firefox, Firefox ESR и почтового клиента Thunderbird, связанная cо смешением символов из блока «Canadian Syllabics» с символами из других блоков, позволяющая нарушителю проводить спуфинг-атаки
EPSS
5.3 Medium
CVSS3
5 Medium
CVSS2