CVE-2013-1740

Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.15.4

Description The issue allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic when the TLS False Start feature is enabled. This is due to a problem in the ssl Do1stHandshake function in sslsecur.c in libssl.

Recommendations For versions prior to 3.15.4, update to version 3.15.4 or later to resolve the issue. As a temporary workaround, consider disabling the TLS False Start feature until a patch is available.