#VU85267 Covert timing channel in Mozilla NSS - CVE-2023-5388

Cybersecurity Help s.r.o.

Published: 2024-01-10 | Updated: 2024-03-19

Vulnerability identifier: #VU85267

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-5388

CWE-ID: CWE-385

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla NSS
Universal components / Libraries / Libraries used by multiple products

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to insufficient fix for #VU84108 (CVE-2023-4421). A remote attacker can perform Marvin attack and gain access to sensitive information.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Mozilla NSS: 3.0.1 - 3.95

External links
http://people.redhat.com/~hkario/marvin/
http://bugzilla.redhat.com/show_bug.cgi?id=2243644

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell PowerStore T Family

Multiple vulnerabilities in Dell PowerStore X

IBM Robotic Process Automation for Cloud Pak update for RedHat UBI minimal

Covert timing channel in IBM Power HMC

Multiple vulnerabilities in IBM MQ

Amazon Linux AMI update for nss

SUSE update for Recommended update for mozilla-nss

Multiple vulnerabilities in Dell Storage Resource Manager (SRM) and Dell Storage Monitoring and Reporting (SMR)

SUSE update for mozilla-nss

SUSE update for Recommended update for mozilla-nss