SB2020082004 - Multiple vulnerabilities in Mozilla Network Security Service (NSS)

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-12400)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in Mozilla NSS library in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key.

2) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-12401)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of ECDSA signatures. A local user can perform a side channel attack and gain access to sensitive information.

3) Out-of-bounds read (CVE-ID: CVE-2020-12403)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing data encrypted with CHACHA20-POLY1305 ciphersuite. A remote attacker can trick the victim to connect to a malicious server and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/202008-08
• https://access.redhat.com/security/cve/cve-2020-12400
• https://access.redhat.com/security/cve/cve-2020-12401
• https://access.redhat.com/security/cve/cve-2020-12403