#VU6841 NULL pointer dereference in Mozilla NSS - CVE-2017-7502


Vulnerability identifier: #VU6841

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-7502

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla NSS
Universal components / Libraries / Libraries used by multiple products

Vendor: Mozilla

Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference error in NSS since 3.24.0 when processing empty SSLv2 messages, received from clients. A remote attacker can send specially crafted request to vulnerable service and perform denial of service attack.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Mozilla NSS: 3.24 - 3.30.2

External links
https://hg.mozilla.org/projects/nss/rev/55ea60effd0d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


NULL pointer dereference in IBM FlashSystem models 840 and 900
Ubuntu update for NSS
Amazon Linux AMI update for nss
Ubuntu update for NSS
CentOS 6 & 7 update for nss
Debian update for nss
Denial of service in Mozilla NSS library
Red Hat Linux update for NSS library