#VU89648 Cryptographic issues in Mozilla NSS - CVE-2015-2730

Cybersecurity Help s.r.o.

Published: 2024-05-20

Vulnerability identifier: #VU89648

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-2730

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla NSS
Universal components / Libraries / Libraries used by multiple products

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to application does not properly perform Elliptical Curve Cryptography (ECC) multiplications. A remote attacker can exploit this vulnerability to forge signatures by persuading a victim to visit a specially-crafted website.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla NSS: before 3.19.1

External links
https://bugzilla.mozilla.org/show_bug.cgi?id=1125025
https://www.mozilla.org/security/announce/2015/mfsa2015-64.html
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes
https://www.debian.org/security/2015/dsa-3336
https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html
https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
https://www.securityfocus.com/bid/83399
https://www.securityfocus.com/bid/75541
https://security.gentoo.org/glsa/201512-10
https://rhn.redhat.com/errata/RHSA-2015-1699.html
https://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
https://rhn.redhat.com/errata/RHSA-2015-1664.html
https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
https://www.ubuntu.com/usn/USN-2672-1
https://www.ubuntu.com/usn/USN-2656-2
https://www.ubuntu.com/usn/USN-2656-1
https://www.securitytracker.com/id/1032783
https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Cryptographic issues in IBM FlashSystem models 840 and 900

Cryptographic issues in IBM SAN Volume Controller and Storwize Family