|
|
Info |
Last Modified |
| about 1 year ago |
|
|
|
|
|
Description |
A remote overflow exists in Mozilla Foundation's Network Security Services (NSS) libraries. The vulnerability is due to inadequate error checking in the Network Security Services (NSS) code that is responsible for handling the Client Master Key. A remote attacker can exploit the vulnerability with a specially-crafted SSLv2 certificate containing a Client Master Key with invalid length values. This may result in a stack-based buffer overflow allowing the attacker to crash the affected server or to execute arbitrary code in the context of the affected server, resulting in a loss of availability and/or integrity.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
Mozilla Network Security Services libraries are used in a variety of products. The names 'libnss3.so' on Linux-based systems or 'nss3.dll' on Windows-based systems may indicate the affected library is being used by an application.
|
|
Solution |
Upgrade to the following versions of the affected products as these versions have been reported to fix this vulnerability:
Mozilla Network Security Services (NSS): version 3.11.5 or higher
It is also possible to correct the flaw by implementing the following workaround(s): Disable the SSLv2 protocol in any product that has not already done so.
|
|
Products |
|
Network Security Services (NSS)
 |
3.11.5 |
3.11.3 |
3.10 |
3.11.4 |
3.9.x |
3.8.x |
3.7.x |
3.6.x |
3.5.x |
3.4.x |
3.3.x |
3.2.x |
|
|
|
|
|
|
Credit |
- Michał Luczaj - regenrecht
 o2.pl -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
