SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Network Security Services (NSS) Vendors:   Mozilla.org
Network Security Services SSLv2 ClientHello Processing May Let Remote Users Obtain Potentially Sensitive Information on the Target System
SecurityTracker Alert ID:  1041724
SecurityTracker URL:  http://securitytracker.com/id/1041724
CVE Reference:   CVE-2018-12384   (Links to External Site)
Date:  Sep 25 2018
Impact:   Disclosure of system information, Disclosure of user information


Description:   A vulnerability was reported in Network Security Services (NSS). A remote user can obtain potentially sensitive information on the target system.

On systems that compile the NSS library with a server application, a remote user can use an SSLv2-compatible ClientHello message to conduct a passive relay attack against stream ciphers that reply with a ServerHello message using all-zero random data.

The Mozilla project reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information on the target system.
Solution:   The vendor has issued a fix (3.36.5, 3.39).

The vendor advisories are available at:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes

Vendor URL:  developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes (Links to External Site)
Cause:   Randomization error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 25 2018 (Red Hat Issues Fix) Network Security Services SSLv2 ClientHello Processing May Let Remote Users Obtain Potentially Sensitive Information on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Sep 26 2018 (Oracle Issues Fix for Oracle Linux) Network Security Services SSLv2 ClientHello Processing May Let Remote Users Obtain Potentially Sensitive Information on the Target System
Oracle has issued a fix for Oracle Linux 7.
Oct 9 2018 (Red Hat Issues Fix) Network Security Services SSLv2 ClientHello Processing May Let Remote Users Obtain Potentially Sensitive Information on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC