SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Network Security Services (NSS) Vendors:   Mozilla.org
Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1035258
SecurityTracker URL:  http://securitytracker.com/id/1035258
CVE Reference:   CVE-2016-1978   (Links to External Site)
Date:  Mar 14 2016
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Network Security Services (NSS). A remote user may be able to execute arbitrary code on the target system.

A remote user can send specially crafted DHE and ECDHE handshake data to trigger a user-after-free memory error when the target system's available memory is low and potentially execute arbitrary code on the target system.

Eric Rescorla reported this vulnerability vulnerability.

Impact:   A remote user may be able to execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (3.21).

The vendor's advisory is available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2016-15/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 14 2016 (Mozilla Issues Fix for Mozilla Firefox) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Mozilla has issued a fix for Mozilla Firefox.
Apr 5 2016 (Red Hat Issues Fix) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Apr 5 2016 (CentOS Issues Fix for Netscape Portable Runtime API) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
CentOS has issued a fix for Netscape Portable Runtime API for CentOS 6.
Apr 5 2016 (CentOS Issues Fix) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
CentOS has issued a fix for CentOS 6.
Apr 6 2016 (Oracle Issues Fix for Oracle Linux) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Linux 6.
Apr 25 2016 (Red Hat Issues Fix) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Apr 25 2016 (Red Hat Issues Fix) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Apr 26 2016 (Oracle Issues Fix for Oracle Linux) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Linux 5 and 7.
Apr 26 2016 (CentOS Issues Fix) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
CentOS has issued a fix for CentOS 5.
Apr 26 2016 (CentOS Issues Fix for Netscape Portable Runtime API) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
CentOS has issued a fix for Netscape Portable Runtime API for CentOS 5 and 7.
Apr 26 2016 (CentOS Issues Fix) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
CentOS has issued a fix for CentOS 7.
May 19 2016 (Ubuntu Issues Fix for Mozilla Thunderbird) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Ubuntu has issued a fix for Mozilla Thunderbird for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.
Jun 9 2016 (Blue Coat Systems Issues Advisory for Blue Coat PacketShaper) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Blue Coat Systems has issued an advisory for Blue Coat PacketShaper.
Jun 9 2016 (Blue Coat Systems Issues Advisory for Blue Coat Director) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
Blue Coat Systems has issued an advisory for Blue Coat Director.
Jul 8 2016 (IBM Issues Fix for IBM Security Identity Manager Virtual Appliance) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Security Identity Manager Virtual Appliance.
Jul 21 2016 (IBM Issues Fix for IBM Security Access Manager) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Security Access Manager.
Jul 21 2016 (IBM Issues Fix for IBM Security Access Manager) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Security Access Manager.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC