Overview
A vulnerability in the way Mozilla Network Security Services (NSS) handles malformed SSLv2 server messages may lead to execution of arbitrary code.
Description
The SSLv2 protocol uses a client master key to generate all subsequent session keys. The client master key is created using a public key recieved from the server during phase one of the SSL handshake. Mozilla NSS library contains a vulnerability in the way malformed SSLv2 server messages related to the public key are handled that may result in a buffer overflow. According to the Mozilla Foundation Security Advisory 2007-06: SSL clients such as Firefox and Thunderbird can suffer a buffer overflow if a malicious server presents a certificate with a public key that is too small to encrypt the entire "Master Secret". Exploiting this overflow appears to be unreliable but possible if the SSLv2 protocol is enabled. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user who is running the vulnerable application or cause a denial of service. |
Solution
Apply an update |
Disable SSLv2
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.mozilla.org/security/announce/2007/mfsa2007-06.html
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482
- http://www.mozilla.org/projects/security/pki/nss/
- http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html
- http://www.mozilla.com/en-US/firefox/releases/1.5.0.10.html
- http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/
- http://www.mozilla.org/projects/seamonkey/releases/
- http://secunia.com/advisories/24238/
- http://secunia.com/advisories/24287/
- http://secunia.com/advisories/24205/
- http://secunia.com/advisories/24290/
- http://secunia.com/advisories/24253/
- http://secunia.com/advisories/24252/
- http://secunia.com/advisories/24320/
- http://secunia.com/advisories/24328/
- http://secunia.com/advisories/24293/
- http://secunia.com/advisories/24327/
- http://secunia.com/advisories/24277/
- http://secunia.com/advisories/24289/
- http://secunia.com/advisories/24343/
- http://secunia.com/advisories/24333/
- http://www.ciac.org/ciac/bulletins/r-164.shtml
- http://secunia.com/advisories/24406/
- http://secunia.com/advisories/24384/
- http://secunia.com/advisories/24410/
- http://secunia.com/advisories/24389/
- http://secunia.com/advisories/24455/
- http://secunia.com/advisories/24456/
- http://secunia.com/advisories/24457/
- http://www.securityfocus.com/bid/22694
- http://secunia.com/advisories/24703/
Acknowledgements
This vulnerability was reported in Mozilla Foundation Security Advisory 2007-06. Mozilla credits iDefense with reporting this issue.
This document was written by Chris Taschner.
Other Information
| CVE IDs: | CVE-2007-0008 |
| Severity Metric: | 12.72 |
| Date Public: | 2007-02-23 |
| Date First Published: | 2007-03-07 |
| Date Last Updated: | 2007-04-05 18:39 UTC |
| Document Revision: | 60 |