PT-2015-5857 · Mozilla+4 · Thunderbird+7

Karthikeyan Bhargavan

·

Publicado

2015-06-25

·

Atualizado

2024-12-12

·

CVE-2015-2721

CVSS v2.0

4.3

Média

VetorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.19 Mozilla Firefox versions prior to 39.0 Firefox ESR versions 31.x prior to 31.8 Firefox ESR versions 38.x prior to 38.1 Thunderbird versions prior to 38.1
Description The issue is related to the TLS state machine, where state transitions are not properly determined, allowing man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages. This can be demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, also known as a "SMACK SKIP-TLS" issue.
Recommendations For Mozilla Network Security Services (NSS) versions prior to 3.19, update to version 3.19 or later. For Mozilla Firefox versions prior to 39.0, update to version 39.0 or later. For Firefox ESR versions 31.x prior to 31.8, update to version 31.8 or later. For Firefox ESR versions 38.x prior to 38.1, update to version 38.1 or later. For Thunderbird versions prior to 38.1, update to version 38.1 or later.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-310

Identificadores relacionados

CESA-2015_1185
CVE-2015-2721
DLA-315-1
DSA-3300-1
DSA-3324-1
DSA-3336-1
MGASA-2015-0268
OPENSUSE-SU-2015_1229-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10230-1
OPENSUSE-SU-2024:10451-1
OPENSUSE-SU-2024:14572-1
RHSA-2015:1185
RHSA-2015:1664
RHSA-2015_1185
RHSA-2015_1664
SUSE-SU-2015:1268-1
SUSE-SU-2015:1268-2
SUSE-SU-2015:1269-1
SUSE-SU-2015:1449-1
SUSE-SU-2015_1268-1
SUSE-SU-2015_1268-2
SUSE-SU-2015_1269-1
USN-2656-1
USN-2656-2
USN-2672-1
USN-2673-1

Produtos afetados

Centos
Firefox
Firefox Esr
Network Security Services
Red Hat
Suse
Thunderbird
Ubuntu