Amazon Linux AMI update for nss, nss-softokn, nss-util, nspr



Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2018-0495
CVE-2018-12404
CVE-2019-11729
CVE-2019-11745
CWE-ID CWE-200
CWE-300
CWE-20
CWE-787
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
 Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Memory-cache side-channel attack

EUVDB-ID: #VU13370

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-0495

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to a leakage of information through memory caches when the affected library uses a private key to create Elliptic Curve Digital Signature Algorithm (ECDSA) signatures.  A local attacker can conduct a memory-cache side-channel attack on ECDSA signatures and recover sensitive information, such as ECDSA private keys, which could be used to conduct further attacks. 

Note: The vulnerability is known as the "Return Of the Hidden Number Problem" or ROHNP.

Mitigation

Update the affected packages:

i686:
    nspr-debuginfo-4.21.0-1.43.amzn1.i686
    nspr-4.21.0-1.43.amzn1.i686
    nspr-devel-4.21.0-1.43.amzn1.i686
    nss-util-devel-3.44.0-4.56.amzn1.i686
    nss-util-3.44.0-4.56.amzn1.i686
    nss-util-debuginfo-3.44.0-4.56.amzn1.i686
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-freebl-3.44.0-8.44.amzn1.i686
    nss-softokn-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.i686
    nss-softokn-3.44.0-8.44.amzn1.i686
    nss-debuginfo-3.44.0-7.84.amzn1.i686
    nss-pkcs11-devel-3.44.0-7.84.amzn1.i686
    nss-3.44.0-7.84.amzn1.i686
    nss-tools-3.44.0-7.84.amzn1.i686
    nss-sysinit-3.44.0-7.84.amzn1.i686
    nss-devel-3.44.0-7.84.amzn1.i686

src:
    nspr-4.21.0-1.43.amzn1.src
    nss-util-3.44.0-4.56.amzn1.src
    nss-softokn-3.44.0-8.44.amzn1.src
    nss-3.44.0-7.84.amzn1.src

x86_64:
    nspr-devel-4.21.0-1.43.amzn1.x86_64
    nspr-debuginfo-4.21.0-1.43.amzn1.x86_64
    nspr-4.21.0-1.43.amzn1.x86_64
    nss-util-devel-3.44.0-4.56.amzn1.x86_64
    nss-util-3.44.0-4.56.amzn1.x86_64
    nss-util-debuginfo-3.44.0-4.56.amzn1.x86_64
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-3.44.0-8.44.amzn1.x86_64
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.x86_64
    nss-softokn-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-freebl-3.44.0-8.44.amzn1.x86_64
    nss-tools-3.44.0-7.84.amzn1.x86_64
    nss-3.44.0-7.84.amzn1.x86_64
    nss-pkcs11-devel-3.44.0-7.84.amzn1.x86_64
    nss-sysinit-3.44.0-7.84.amzn1.x86_64
    nss-devel-3.44.0-7.84.amzn1.x86_64
    nss-debuginfo-3.44.0-7.84.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

https://alas.aws.amazon.com/ALAS-2020-1355.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Cache Attacks

EUVDB-ID: #VU16219

Risk: Medium

CVSSv4.0: 7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-12404

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a downgrade attack on the server and decrypt private keys on the target system.

The vulnerability exists due to a core weakness in TLS that relates to the handshaking of the session key which is used within the tunnel during parallelisation of thousands of oracle queries that occurs using a cluster of TLS servers which share the same public key certificate. A remote attacker can mount a microarchitectural side channel attack against a vulnerable implementation, obtain a network man-in-the-middle position, obtain the relevant data to sign and trigger the victim server to decrypt ciphertexts chosen by the adversary to perform a downgrade attack.






Mitigation

Update the affected packages:

i686:
    nspr-debuginfo-4.21.0-1.43.amzn1.i686
    nspr-4.21.0-1.43.amzn1.i686
    nspr-devel-4.21.0-1.43.amzn1.i686
    nss-util-devel-3.44.0-4.56.amzn1.i686
    nss-util-3.44.0-4.56.amzn1.i686
    nss-util-debuginfo-3.44.0-4.56.amzn1.i686
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-freebl-3.44.0-8.44.amzn1.i686
    nss-softokn-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.i686
    nss-softokn-3.44.0-8.44.amzn1.i686
    nss-debuginfo-3.44.0-7.84.amzn1.i686
    nss-pkcs11-devel-3.44.0-7.84.amzn1.i686
    nss-3.44.0-7.84.amzn1.i686
    nss-tools-3.44.0-7.84.amzn1.i686
    nss-sysinit-3.44.0-7.84.amzn1.i686
    nss-devel-3.44.0-7.84.amzn1.i686

src:
    nspr-4.21.0-1.43.amzn1.src
    nss-util-3.44.0-4.56.amzn1.src
    nss-softokn-3.44.0-8.44.amzn1.src
    nss-3.44.0-7.84.amzn1.src

x86_64:
    nspr-devel-4.21.0-1.43.amzn1.x86_64
    nspr-debuginfo-4.21.0-1.43.amzn1.x86_64
    nspr-4.21.0-1.43.amzn1.x86_64
    nss-util-devel-3.44.0-4.56.amzn1.x86_64
    nss-util-3.44.0-4.56.amzn1.x86_64
    nss-util-debuginfo-3.44.0-4.56.amzn1.x86_64
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-3.44.0-8.44.amzn1.x86_64
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.x86_64
    nss-softokn-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-freebl-3.44.0-8.44.amzn1.x86_64
    nss-tools-3.44.0-7.84.amzn1.x86_64
    nss-3.44.0-7.84.amzn1.x86_64
    nss-pkcs11-devel-3.44.0-7.84.amzn1.x86_64
    nss-sysinit-3.44.0-7.84.amzn1.x86_64
    nss-devel-3.44.0-7.84.amzn1.x86_64
    nss-debuginfo-3.44.0-7.84.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

https://alas.aws.amazon.com/ALAS-2020-1355.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Input validation error

EUVDB-ID: #VU23562

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-11729

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing an empty or malformed p256-ECDH public keys. A remote attacker can trigger a segmentation fault and cause a denial of service condition on the target system.

Mitigation

Update the affected packages:

i686:
    nspr-debuginfo-4.21.0-1.43.amzn1.i686
    nspr-4.21.0-1.43.amzn1.i686
    nspr-devel-4.21.0-1.43.amzn1.i686
    nss-util-devel-3.44.0-4.56.amzn1.i686
    nss-util-3.44.0-4.56.amzn1.i686
    nss-util-debuginfo-3.44.0-4.56.amzn1.i686
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-freebl-3.44.0-8.44.amzn1.i686
    nss-softokn-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.i686
    nss-softokn-3.44.0-8.44.amzn1.i686
    nss-debuginfo-3.44.0-7.84.amzn1.i686
    nss-pkcs11-devel-3.44.0-7.84.amzn1.i686
    nss-3.44.0-7.84.amzn1.i686
    nss-tools-3.44.0-7.84.amzn1.i686
    nss-sysinit-3.44.0-7.84.amzn1.i686
    nss-devel-3.44.0-7.84.amzn1.i686

src:
    nspr-4.21.0-1.43.amzn1.src
    nss-util-3.44.0-4.56.amzn1.src
    nss-softokn-3.44.0-8.44.amzn1.src
    nss-3.44.0-7.84.amzn1.src

x86_64:
    nspr-devel-4.21.0-1.43.amzn1.x86_64
    nspr-debuginfo-4.21.0-1.43.amzn1.x86_64
    nspr-4.21.0-1.43.amzn1.x86_64
    nss-util-devel-3.44.0-4.56.amzn1.x86_64
    nss-util-3.44.0-4.56.amzn1.x86_64
    nss-util-debuginfo-3.44.0-4.56.amzn1.x86_64
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-3.44.0-8.44.amzn1.x86_64
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.x86_64
    nss-softokn-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-freebl-3.44.0-8.44.amzn1.x86_64
    nss-tools-3.44.0-7.84.amzn1.x86_64
    nss-3.44.0-7.84.amzn1.x86_64
    nss-pkcs11-devel-3.44.0-7.84.amzn1.x86_64
    nss-sysinit-3.44.0-7.84.amzn1.x86_64
    nss-devel-3.44.0-7.84.amzn1.x86_64
    nss-debuginfo-3.44.0-7.84.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

https://alas.aws.amazon.com/ALAS-2020-1355.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds write

EUVDB-ID: #VU23050

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-11745

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the NSC_EncryptUpdate() function in /lib/softoken/pkcs11c.c, when performing padding operations in Mozilla NSS. A remote attacker can pass specially crafted data to the affected application, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Update the affected packages:

i686:
    nspr-debuginfo-4.21.0-1.43.amzn1.i686
    nspr-4.21.0-1.43.amzn1.i686
    nspr-devel-4.21.0-1.43.amzn1.i686
    nss-util-devel-3.44.0-4.56.amzn1.i686
    nss-util-3.44.0-4.56.amzn1.i686
    nss-util-debuginfo-3.44.0-4.56.amzn1.i686
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-freebl-3.44.0-8.44.amzn1.i686
    nss-softokn-devel-3.44.0-8.44.amzn1.i686
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.i686
    nss-softokn-3.44.0-8.44.amzn1.i686
    nss-debuginfo-3.44.0-7.84.amzn1.i686
    nss-pkcs11-devel-3.44.0-7.84.amzn1.i686
    nss-3.44.0-7.84.amzn1.i686
    nss-tools-3.44.0-7.84.amzn1.i686
    nss-sysinit-3.44.0-7.84.amzn1.i686
    nss-devel-3.44.0-7.84.amzn1.i686

src:
    nspr-4.21.0-1.43.amzn1.src
    nss-util-3.44.0-4.56.amzn1.src
    nss-softokn-3.44.0-8.44.amzn1.src
    nss-3.44.0-7.84.amzn1.src

x86_64:
    nspr-devel-4.21.0-1.43.amzn1.x86_64
    nspr-debuginfo-4.21.0-1.43.amzn1.x86_64
    nspr-4.21.0-1.43.amzn1.x86_64
    nss-util-devel-3.44.0-4.56.amzn1.x86_64
    nss-util-3.44.0-4.56.amzn1.x86_64
    nss-util-debuginfo-3.44.0-4.56.amzn1.x86_64
    nss-softokn-freebl-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-3.44.0-8.44.amzn1.x86_64
    nss-softokn-debuginfo-3.44.0-8.44.amzn1.x86_64
    nss-softokn-devel-3.44.0-8.44.amzn1.x86_64
    nss-softokn-freebl-3.44.0-8.44.amzn1.x86_64
    nss-tools-3.44.0-7.84.amzn1.x86_64
    nss-3.44.0-7.84.amzn1.x86_64
    nss-pkcs11-devel-3.44.0-7.84.amzn1.x86_64
    nss-sysinit-3.44.0-7.84.amzn1.x86_64
    nss-devel-3.44.0-7.84.amzn1.x86_64
    nss-debuginfo-3.44.0-7.84.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

https://alas.aws.amazon.com/ALAS-2020-1355.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###