Main Vulnerability Database Vulnerabilities #VU28522

#VU28522 Race condition in Mozilla NSS - CVE-2020-12399

Published: June 2, 2020 / Updated: July 15, 2020

Vulnerability identifier: #VU28522

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-12399

CWE-ID: CWE-362

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla NSS

Software vendor:
Mozilla

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to time differences in Mozilla NSS library during the process of generating a DSA signature, the nonce value 'k' is not padded, exposing the bit length. Combined with other techniques, this can result in the recovery of the DSA private key.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/
https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
https://bugzilla.redhat.com/show_bug.cgi?id=1826177