#VU33638 Data Handling - CVE-2015-7575

Cybersecurity Help s.r.o.

Published: 2016-01-09 | Updated: 2020-08-04

Vulnerability identifier: #VU33638

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-7575

CWE-ID: CWE-19

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Mitigation
Install update from vendor's website.

External links
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
https://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
https://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
https://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
https://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
https://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
https://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
https://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
https://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
https://rhn.redhat.com/errata/RHSA-2016-0049.html
https://rhn.redhat.com/errata/RHSA-2016-0050.html
https://rhn.redhat.com/errata/RHSA-2016-0053.html
https://rhn.redhat.com/errata/RHSA-2016-0054.html
https://rhn.redhat.com/errata/RHSA-2016-0055.html
https://rhn.redhat.com/errata/RHSA-2016-0056.html
https://www.debian.org/security/2016/dsa-3436
https://www.debian.org/security/2016/dsa-3437
https://www.debian.org/security/2016/dsa-3457
https://www.debian.org/security/2016/dsa-3458
https://www.debian.org/security/2016/dsa-3465
https://www.debian.org/security/2016/dsa-3491
https://www.debian.org/security/2016/dsa-3688
https://www.mozilla.org/security/announce/2015/mfsa2015-150.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
https://www.securityfocus.com/bid/79684
https://www.securityfocus.com/bid/91787
https://www.securitytracker.com/id/1034541
https://www.securitytracker.com/id/1036467
https://www.ubuntu.com/usn/USN-2863-1
https://www.ubuntu.com/usn/USN-2864-1
https://www.ubuntu.com/usn/USN-2865-1
https://www.ubuntu.com/usn/USN-2866-1
https://www.ubuntu.com/usn/USN-2884-1
https://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
https://security.gentoo.org/glsa/201801-15
https://security.netapp.com/advisory/ntap-20160225-0001/