Mozilla Network Security Services (NSS) Master Secret buffer overflow

nss-mastersecret-bo (32666) The risk level is classified as HighHigh Risk

Description:

Multiple products using the Mozilla Network Security Services (NSS) library are vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the SSLv2 service. By sending a specially-crafted SSLv2 certificate with a small public key for the Master Secret, a remote attacker could overflow a buffer and execute arbitrary code on the system.

Platforms Affected:

  • Canonical, Ubuntu 5.10
  • Canonical, Ubuntu 6.06 LTS
  • Canonical, Ubuntu 6.10
  • Debian, Debian Linux 3.1
  • Gentoo, Linux
  • MandrakeSoft, Mandrake Linux 2007
  • MandrakeSoft, Mandrake Linux 2007 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0
  • MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 4.0
  • Mozilla, Firefox 1.5
  • Mozilla, Firefox 1.5.0.1
  • Mozilla, Firefox 1.5.0.2
  • Mozilla, Firefox 1.5.0.3
  • Mozilla, Firefox 1.5.0.4
  • Mozilla, Firefox 1.5.0.5
  • Mozilla, Firefox 1.5.0.6
  • Mozilla, Firefox 1.5.0.7
  • Mozilla, Firefox 1.5.0.8
  • Mozilla, Firefox 1.5.0.9
  • Mozilla, Firefox 2.0
  • Mozilla, Firefox 2.0.0.1
  • Mozilla, Network Security Services 3.11.2
  • Mozilla, Network Security Services 3.11.3
  • Mozilla, Network Security Services 3.11.4
  • Mozilla, SeaMonkey 1.0 Dev
  • Mozilla, SeaMonkey 1.0 Alpha
  • Mozilla, SeaMonkey 1.0 Beta
  • Mozilla, SeaMonkey 1.0
  • Mozilla, SeaMonkey 1.0.1
  • Mozilla, SeaMonkey 1.0.2
  • Mozilla, SeaMonkey 1.0.3
  • Mozilla, SeaMonkey 1.0.4
  • Mozilla, SeaMonkey 1.0.5
  • Mozilla, SeaMonkey 1.0.6
  • Mozilla, SeaMonkey 1.0.7
  • Mozilla, Thunderbird 1.5
  • Mozilla, Thunderbird 1.5 Beta2
  • Mozilla, Thunderbird 1.5.0.1
  • Mozilla, Thunderbird 1.5.0.10
  • Mozilla, Thunderbird 1.5.0.2
  • Mozilla, Thunderbird 1.5.0.3
  • Mozilla, Thunderbird 1.5.0.4
  • Mozilla, Thunderbird 1.5.0.5
  • Mozilla, Thunderbird 1.5.0.6
  • Mozilla, Thunderbird 1.5.0.7
  • Mozilla, Thunderbird 1.5.0.8
  • Mozilla, Thunderbird 1.5.0.9
  • Novell, Linux Desktop 9
  • Novell, Linux POS 9
  • Novell, Open Enterprise Server
  • Novell, Open Enterprise Server
  • Novell, OpenSUSE 10.2
  • Novell, UnitedLinux 1.0
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Enterprise Linux 3 Desktop
  • RedHat, Enterprise Linux 4 AS
  • RedHat, Enterprise Linux 4 Desktop
  • RedHat, Enterprise Linux 4 WS
  • RedHat, Enterprise Linux 4 ES
  • RedHat, Enterprise Linux 5
  • RedHat, Enterprise Linux 5 Client Workstation
  • RedHat, Enterprise Linux 5 Client
  • RedHat, Enterprise Linux Desktop 5.0
  • RedHat, Enterprise Linux Optional Productivity Applications 5 Server
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • Sun, Java Enterprise System 2003Q4
  • Sun, Java Enterprise System 2004Q2
  • Sun, Java Enterprise System 2005Q1
  • Sun, Java Enterprise System 2005Q4
  • Sun, Java Enterprise System 5
  • Sun, Java System Application Server 8.1 2005Q1 Enterprise
  • Sun, Java System Application Server 8.1 2005Q1
  • Sun, Java System Web Proxy Server 4.0
  • Sun, Java System Web Proxy Server 4.0 SP1
  • Sun, Java System Web Server 6.1
  • Sun, Java System Web Server 7.0
  • Sun, Solaris 10
  • Sun, Solaris 9
  • SuSE, SuSE Linux 10.0
  • SuSE, SuSE Linux 10.1
  • SuSE, SuSE Linux 9.3
  • SuSE, SuSE Linux Enterprise Server 8.0
  • SuSE, SuSE Linux OpenExchange Server 4
  • SuSE, SuSE Linux Retail Solution 8
  • SuSE, SuSE Linux School Server
  • SuSE, SuSE Linux Standard Server 8
  • SuSE, SuSE SLED 10
  • SuSE, SuSE SLES 10
  • SuSE, SuSE SLES 9

Remedy:

Refer to MFSA 2007-06 for upgrade or suggested workaround information. See References.

For Red Hat Linux (Thunderbird):
Refer to RHSA-2007:0078-2 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Firefox):
Refer to RHSA-2007:0079-2 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Firefox RHEL server and client):
Refer to RHSA-2007:0097-5 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (SeaMonkey):
Refer to RHSA-2007:0077-4 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-431-1 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-428-2 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200703-18 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to GLSA 200703-22 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux (Thunderbird):
Refer to MDKSA-2007:052 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux (Firefox):
Refer to MDKSA-2007:050 for patch, upgrade, or suggested workaround information. See References.

For Solaris (NSS):
Refer to Sun Alert ID: 102856 for patch, upgrade, or suggested workaround information. See References.

For Solaris (Sun Java System Application Server, Web Server, and Web Proxy Server):
Refer to Sun Alert ID: 102945 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux (Firefox):
Refer to SUSE-SA:2007:019 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux (Mozilla):
Refer to SUSE-SA:2007:022 for patch, upgrade, or suggested workaround information. See References.

For Debian Linux (mozilla-firefox):
Refer to DSA-1336-1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

  • iDefense Labs PUBLIC ADVISORY: 02.23.07, Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=482.
  • MFSA 2007-06, Mozilla Network Security Services (NSS) SSLv2 buffer overflows at http://www.mozilla.org/security/announce/2007/mfsa2007-06.html.
  • Sun Alert ID: 102856, Security Vulnerabilities in the Network Security Services (NSS) May Affect SSL Clients and SSL Servers at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102856-1.
  • Sun Alert ID: 102945, Security Vulnerabilities in the Network Security Services (NSS) Library May Affect Sun Java System Application Server, Web Server and Web Proxy Server at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102945-1.
  • ASA-2007-092: SeaMonkey security update (RHSA-2007-0077)
  • ASA-2007-095: thunderbird security update (RHSA-2007-0078)
  • ASA-2007-114: Firefox security update (RHSA-2007-0079)
  • ASA-2007-153: Security Vulnerabilities in the Network Security Services (NSS) May Affect SSL Clients and SSL Servers (Sun 102856)
  • ASA-2007-276: Security Vulnerabilities in the Network Security Services (NSS) Library May Affect Sun Java System Application Server Web Server and Web Proxy Server (Sun 102945)
  • BID-22694: Mozilla Thunderbird/SeaMonkey/Firefox Multiple Remote Vulnerabilities
  • CVE-2007-0008: Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the Master Secret, which results in a heap-based overflow.
  • DSA-1336: mozilla-firefox -- several vulnerabilities
  • GLSA-200703-18: Mozilla Thunderbird: Multiple vulnerabilities
  • GLSA-200703-22: Mozilla Network Security Service: Remote execution of arbitrary code
  • MDKSA-2007:050: Updated Firefox packages fix multiple vulnerabilities
  • MDKSA-2007:050-1: Updated Firefox packages fix multiple vulnerabilities
  • MDKSA-2007:052: Updated Thunderbird packages fix multiple vulnerabilities
  • OSVDB ID: 32105: Mozilla Multiple Product NSS SSLv2 Client Overflow
  • RHSA-2007-0077: Critical: seamonkey security update
  • RHSA-2007-0078: Critical: thunderbird security update
  • RHSA-2007-0079: Critical: Firefox security update
  • RHSA-2007-0097: Critical: firefox security update
  • RHSA-2007-0108: Critical: thunderbird security update
  • SA24205: Mozilla Firefox Multiple Vulnerabilities
  • SA24238: Mozilla SeaMonkey Multiple Vulnerabilities
  • SA24252: Mozilla Thunderbird Multiple Vulnerabilities
  • SA24253: Network Security Services SSLv2 Processing Buffer Overflows
  • SA24703: Sun Solaris and Java Enterprise System Network Security Services Vulnerabilities
  • SA25597: Sun Java System Products NSS SSLv2 Processing Buffer Overflows
  • SECTRACK ID: 1017696: Mozilla Firefox Integer Underflow in Processing SSLv2 Server Messages Lets Remote Users Execute Arbitrary Code
  • SUSE-SA:2007:019: MozillaFirefox security update 1.5.0.10/2.0.0.2
  • SUSE-SA:2007:022: Mozilla security problems
  • US-CERT VU#377812: Mozilla Network Security Services (NSS) fails to properly process malformed SSLv2 server messages
  • USN-428-1: Firefox vulnerabilities
  • USN-428-2: Firefox regression
  • USN-431-1: Thunderbird vulnerabilities
  • VUPEN/ADV-2007-0718: Mozilla Products Multiple Remote Code Execution and Security Bypass Vulnerabilities
  • VUPEN/ADV-2007-0719: Mozilla Thunderbird Multiple Command Execution and Denial of Service Vulnerabilities
  • VUPEN/ADV-2007-1165: Sun Solaris Security Update Fixes Multiple Network Security Service Vulnerabilities
  • VUPEN/ADV-2007-2141: Sun Java System Security Update Fixes Network Security Service Vulnerabilities

Reported:

Feb 23, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page