32105 : Mozilla Multiple Products NSS SSLv2 Client Overflow
Printer | http://osvdb.org/32105 | Email This | Edit Vulnerability

Views This Week Views All Time Added to OSVDB Last Modified Modified (since 2008) Percent Complete
6 1335 over 4 years ago about 1 year ago 2 times 100%

Timeline
Vendor Informed Date Vendor Ack Date Disclosure Date
2006-12-18 2006-12-19 2007-02-23
Time to Vendor Response
1 days

Description

A remote overflow exists in multiple versions of Mozilla Firefox, Mozilla Network Security Services (NSS), Mozilla SeaMonkey, and Mozilla Thunderbird. The vulnerability is due to an error in the Network Security Services (NSS) code that can occur when processing certain SSLv2 server messages. The products fail to properly process SSL server certificates which possess an RSA public key that is too small to encrypt the entire SSLv2 "Master Secret". This may result in a heap-based overflow and may allow an attacker execution of arbitrary code, resulting in a loss of integrity and/or availability.

Classification

 Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Exploit: Exploit Public, Exploit Private
Disclosure: OSVDB Verified, Vendor Verified

Technical

Support for SSLv2 is disabled in Firefox 2 due to other known weaknesses in the protocol; Firefox 2 is not vulnerable unless the user has modified hidden internal NSS settings to re-enable SSLv2 support.

Below is the NSS CVS change that fixes the vulnerability:
===================================================================
Index: sslcon.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslcon.c,v
retrieving revision 1.34
diff -p -u -9 -r1.34 sslcon.c
--- sslcon.c 14 Nov 2006 01:09:54 -0000 1.34
+++ sslcon.c 19 Dec 2006 08:08:39 -0000
@@ -1975,19 +1975,22 @@ ssl2_ClientHandleServerCert(sslSocket *s
unsigned char *
ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
{
unsigned char *block;
unsigned char *bp;
int padLen;
SECStatus rv;
int i;
- PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+ if (modulusLen < data->len + (3 + RSA_BLOCK_MIN_PAD_LEN)) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return NULL;
+ }
block = (unsigned char *) PORT_Alloc(modulusLen);
if (block == NULL)
return NULL;
bp = block;

Solution

Upgrade to the following versions of the affected products as these versions have been reported to fix this vulnerability:
Mozilla Network Security Services (NSS): version 3.11.5 or higher
Mozilla Firefox: version 2.0.2 or higher
Mozilla Thunderbird: version 1.5.0.10 or higher
Mozilla SeaMonkey: version 1.0.8 or higher

It is also possible to correct the flaw by implementing the following workaround(s): Disable the SSLv2 protocol in any product that has not already done so.
In Mozilla Firefox 1.5:
1) Click on the Advanced icon in the Options/Preferences dialog.
2) On the Security tab uncheck the box next to "Use SSL 2.0"
3) Click the "OK" button.

In Mozilla Thunderbird 1.5:
1) Click on the Advanced icon in the Options/Preferences dialog.
2) Click the "Config Editor..." button.
3) Type ssl2 in the Filter field
4) Double-click security.enable_ssl2 to change the value to false and close the window.

Mozilla Network Security Services (NSS):
Disable the SSLv2 protocol.

Products
Mozilla Organization
Watch-list
Firefox
Watch-list
 2.0.0.2
1.5.0.10
1.0
1.5
1.5 beta 1
1.5 beta 2
1.5.0.1
1.5.0.2
1.5.0.3
1.5.0.4
1.5.0.5
1.5.0.6
1.5.0.7
1.5.0.9
2.0
2.0 Beta 1
2.0 RC2
2.0 RC3
2.0.1
0.x
1.0.x
Thunderbird
Watch-list
 0.x
1.5
1.5.0.2
1.5.0.4
1.5.0.5
1.5.0.7
1.5.0.10
1.0.x
1.5 beta 2
1.5.9
1.5.0.1
SeaMonkey
Watch-list
 1.0.8
1.1.1
1.1 Alpha
1.1 Beta
1.0.x
Network Security Services (NSS)
Watch-list
 3.11.5
3.11.3
3.10
3.11.4
3.9.x
3.8.x
3.7.x
3.6.x
3.5.x
3.4.x
3.3.x
3.2.x

References

Tools & Filters
24701 24707 24708 24735 24748 24753 24774 24778 24867 24888 25000 25318 25779 27118 27119 27129 27439 27440 28021 28022 28025 29359
3922 3927 3931 3942

Credit

CVSSv2 Score

CVSSv2 Base Score = 6.8
Source: nvd.nist.gov | Generated: 2007-02-27 | Disagree?

Access_vector_2 Access_complexity_1 Authentication_2 Confidentiality_impact_1 Integrity_impact_1 Availability_impact_1

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2012 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use