OSVDB ID: 32105 Title: Mozilla Multiple Products NSS SSLv2 Client Overflow |
Info |
|
|
Dates |
||||
|
|
Description |
A remote overflow exists in multiple versions of Mozilla Firefox, Mozilla Network Security Services (NSS), Mozilla SeaMonkey, and Mozilla Thunderbird. The vulnerability is due to an error in the Network Security Services (NSS) code that can occur when processing certain SSLv2 server messages. The products fail to properly process SSL server certificates which possess an RSA public key that is too small to encrypt the entire SSLv2 "Master Secret". This may result in a heap-based overflow and may allow an attacker execution of arbitrary code, resulting in a loss of integrity and/or availability. |
Classification |
Location:
Remote / Network Access
Attack Type: Input Manipulation Impact: Loss of Integrity, Loss of Availability Exploit: Exploit Public, Exploit Private Disclosure: OSVDB Verified |
Solution |
Upgrade to the following versions of the affected products as these versions have been reported to fix this vulnerability: Mozilla Network Security Services (NSS): version 3.11.5 or higher Mozilla Firefox: version 2.0.2 or higher Mozilla Thunderbird: version 1.5.0.10 or higher Mozilla SeaMonkey: version 1.0.8 or higher It is also possible to correct the flaw by implementing the following workaround(s): Disable the SSLv2 protocol in any product that has not already done so. In Mozilla Firefox 1.5: 1) Click on the Advanced icon in the Options/Preferences dialog. 2) On the Security tab uncheck the box next to "Use SSL 2.0" 3) Click the "OK" button. In Mozilla Thunderbird 1.5: 1) Click on the Advanced icon in the Options/Preferences dialog. 2) Click the "Config Editor..." button. 3) Type ssl2 in the Filter field 4) Double-click security.enable_ssl2 to change the value to false and close the window. Mozilla Network Security Services (NSS): Disable the SSLv2 protocol. |
Products |
|
Credit |
|
o2.pl -