SSLV2 Client Hello Overflow

sslv2-client-hello-overflow (16314)

High Risk

Description:

The SSL (Secure Sockets Layer) protocol is vulnerable to a buffer overflow. If a Web server has SSLv2 enabled, an attacker can supply a malformed SSLv2 Client Hello Message packet to overflow a buffer and cause the service or crash or execute arbitrary code on the system with privileges of the Web server.

Platforms Affected:

• HP, HP-UX B.11.00
• HP, HP-UX B.11.11
• HP, HP-UX B.11.23
• Netscape, Certificate Management System
• Netscape, Directory Server
• Netscape, Enterprise Server
• Netscape, Personalization Engine
• Netscape, Security Services
• Sun, iPlanet Web Server
• Sun, Java Enterprise System 2003Q4
• Sun, Java Enterprise System 2004Q2
• Sun, Java System Application Server 7.0 UR4
• Sun, Java System Application Server 7.1
• Sun, ONE Web Server 4.1
• Sun, ONE Web Server 4.1 SP12
• Sun, ONE Web Server 4.1 SP9
• Sun, ONE Web Server 4.1 SP8
• Sun, ONE Web Server 4.1 SP7
• Sun, ONE Web Server 4.1 SP6
• Sun, ONE Web Server 4.1 SP5
• Sun, ONE Web Server 4.1 SP4
• Sun, ONE Web Server 4.1 SP3
• Sun, ONE Web Server 4.1 SP2
• Sun, ONE Web Server 4.1 SP14
• Sun, ONE Web Server 4.1 SP13
• Sun, ONE Web Server 4.1 SP11
• Sun, ONE Web Server 4.1 SP10
• Sun, ONE Web Server 4.1 SP1
• Sun, ONE Web Server 6.0 SP6
• Sun, ONE Web Server 6.0 SP3
• Sun, ONE Web Server 6.0
• Sun, ONE Web Server 6.0 SP5
• Sun, ONE Web Server 6.0 SP2
• Sun, ONE Web Server 6.0 SP7
• Sun, ONE Web Server 6.0 SP8
• Sun, ONE Web Server 6.0 SP1
• Sun, ONE Web Server 6.0 SP4
• Sun, ONE Web Server 6.1
• Sun, ONE Web Server 6.1 SP2
• Sun, ONE Web Server 6.1 SP1
• Sun, Solaris 8
• Sun, Solaris 9

Remedy:

For manual protection, a vendor-supplied update for the NSS library is available for download from the Mozilla FTP site. See References.

For Sun Java Enterprise System:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57643 for more information. See References.

SPARC Platform
Sun Java Enterprise System 2003Q4 and 2004Q2 for Solaris 8: 114045-12 or later and 115924-09 or later
Sun Java Enterprise System 2003Q4 and 2004Q2 for Solaris 9: 114049-12 or later and 115926-10 or later

x86 Platform
Sun Java Enterprise System 2003Q4 and 2004Q2 for Solaris 9: 114050-12 or later and 115927-10 or later

For Sun Java Web Server and Application Server:
Upgrade to the latest version, as listed below. Refer to Sun Alert ID: 57632 for more information. See References.

Sun Java System Web Server 6.0: SP9 or later
Sun Java System Web Server 6.1: SP3 or later
Sun Java System Application Server 7: 2004Q2 Update 1 or later
Sun Java System Application Server 7: Update 5 or later

As a workaround, mitigate risk associated with this vulnerability by disabling SSLv2 and all associated SSLv2 ciphers.

Consequences:

Gain Access

References:

• CIAC Information Bulletin 0-204, Netscape NSS Library Suite Remote Buffer Overflow at http://www.ciac.org/ciac/bulletins/o-204.shtml.
• Internet Security Systems Protection Advisory, Netscape NSS Library Remote Compromise at http://xforce.iss.net/xforce/alerts/id/180.
• Mozilla FTP site, ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM at ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/.
• Sun Alert ID: 57632, Netscape NSS Library Vulnerability Affects Sun Java System Web Server and Sun Java System Application Server at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57632-1&searchclause=%22category:security%22%20%22availability,%20security%22.
• Sun Alert ID: 57643, Netscape NSS Library Vulnerability Affects Sun Java Enterprise System at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57643-1&searchclause=security.
• BID-11015: Mozilla Network Security Services Library Remote Heap Overflow Vulnerability
• CVE-2004-0826: Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.

Reported:

Jun 03, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page