Karthikeyan Bhargavan

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 10.2 macOS versions prior to 10.12.2 watchOS versions prior to 3.1.3 **Description** The issue involves the Security component and makes it easier for attackers to bypass cryptographic protection mechanisms by leveraging the use of the 3DES cipher. This is due to the insufficient strength of the 3DES encryption scheme. The exploitation of this issue may allow a remote attacker to bypass cryptographic protection mechanisms. **Recommendations** For iOS versions prior to 10.2, update to version 10.2 or later. For macOS versions prior to 10.12.2, update to version 10.12.2 or later. For watchOS versions prior to 3.1.3, update to version 3.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** OpenVPN versions prior to the fixed version **Description** The issue is related to the use of 64-bit block ciphers in OpenVPN, which can be exploited by remote attackers to obtain cleartext data via a birthday attack, specifically a "Sweet32" attack, against long-duration encrypted sessions. This can be demonstrated in an HTTP-over-OpenVPN session using Blowfish in CBC mode. **Recommendations** For OpenVPN versions prior to the fixed version, consider disabling the use of 64-bit block ciphers, such as Blowfish in CBC mode, until a patch is available. Restrict access to sensitive data transmitted over OpenVPN to minimize the risk of exploitation. As a temporary workaround, consider using alternative encryption methods that are not affected by the "Sweet32" attack.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 43.0.2 Mozilla Firefox ESR versions prior to 38.5.2 Mozilla Network Security Services (NSS) versions prior to 3.20.2 Oracle Java SE (affected versions not specified) **Description** The issue is related to errors in the code of a security component, which can be exploited by a remote attacker to gain read, modify, add, or delete access to data using network packets. Specifically, the problem lies in the TLS 1.2 Handshake Protocol traffic, where MD5 signatures in Server Key Exchange messages are not rejected. This makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision, potentially allowing them to impersonate a TLS server and obtain credentials. **Recommendations** For Mozilla Firefox versions prior to 43.0.2, update to version 43.0.2 or later to resolve the issue. For Mozilla Firefox ESR versions prior to 38.5.2, update to version 38.5.2 or later to resolve the issue. For Mozilla Network Security Services (NSS) versions prior to 3.20.2, update to version 3.20.2 or later to resolve the issue. For Oracle Java SE, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11 **Description** The issue is related to the TLS Handshake Protocol implementation in Secure Transport, which accepts a Certificate Request message within a session where no Server Key Exchange message has been sent. This allows remote attackers to have an unspecified impact via crafted TLS data. The vulnerability is also described as being related to errors in the key exchange procedure, which can be exploited by a remote attacker to compromise information security. **Recommendations** For Apple OS X versions prior to 10.11, update to version 10.11 or later to resolve the issue. As a temporary workaround, consider restricting the use of TLS connections to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.11 **Description** The issue is related to the X.509 certificate-trust implementation, which does not properly handle revocation checking. This makes it easier for attackers to conduct man-in-the-middle attacks by using a revoked certificate. The vulnerability can be exploited by a remote attacker to spoof endpoints. **Recommendations** For Apple OS X versions prior to 10.11, update to version 10.11 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mozilla Network Security Services (NSS) versions prior to 3.19 Mozilla Firefox versions prior to 39.0 Firefox ESR versions 31.x prior to 31.8 Firefox ESR versions 38.x prior to 38.1 Thunderbird versions prior to 38.1 **Description** The issue is related to the TLS state machine, where state transitions are not properly determined, allowing man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages. This can be demonstrated by removing a forward-secrecy property by blocking a `ServerKeyExchange` message, also known as a "SMACK SKIP-TLS" issue. **Recommendations** For Mozilla Network Security Services (NSS) versions prior to 3.19, update to version 3.19 or later. For Mozilla Firefox versions prior to 39.0, update to version 39.0 or later. For Firefox ESR versions 31.x prior to 31.8, update to version 31.8 or later. For Firefox ESR versions 38.x prior to 38.1, update to version 38.1 or later. For Thunderbird versions prior to 38.1, update to version 38.1 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Java 8 versions before SR1 **Description** The issue allows remote attackers to cause a denial of service via unknown vectors related to SSL/TLS and the Secure Socket Extension provider. Additionally, a vulnerability in IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections, facilitating brute-force decryption of TLS/SSL traffic between vulnerable clients and servers using man-in-the-middle techniques. This is also known as the FREAK attack. **Recommendations** For IBM Java 8 versions before SR1, update to a version that includes the SR1 fix to resolve the issue. As a temporary workaround, consider restricting the use of RSA temporary keys in non-export RSA key exchange ciphersuites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Directory Server versions 6.0 through 6.0.0.73-ISS-ITDS-IF0073 IBM Tivoli Directory Server versions 6.1 through 6.1.0.66-ISS-ITDS-IF0066 IBM Tivoli Directory Server versions 6.2 through 6.2.0.42-ISS-ITDS-IF0042 IBM Tivoli Directory Server versions 6.3 through 6.3.0.35-ISS-ITDS-IF0035 IBM Security Directory Server versions 6.3.1 through 6.3.1.9-ISS-ISDS-IF0009 **Description** The issue makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT RSA ciphers via crafted TLS traffic, related to the "FREAK" issue. This could allow a remote attacker using man-in-the-middle techniques to facilitate bruteforce decryption of TLS/SSL traffic between vulnerable clients and servers. **Recommendations** For IBM Tivoli Directory Server versions 6.0 through 6.0.0.73-ISS-ITDS-IF0073, update to version 6.0.0.73-ISS-ITDS-IF0073 or later. For IBM Tivoli Directory Server versions 6.1 through 6.1.0.66-ISS-ITDS-IF0066, update to version 6.1.0.66-ISS-ITDS-IF0066 or later. For IBM Tivoli Directory Server versions 6.2 through 6.2.0.42-ISS-ITDS-IF0042, update to version 6.2.0.42-ISS-ITDS-IF0042 or later. For IBM Tivoli Directory Server versions 6.3 through 6.3.0.35-ISS-ITDS-IF0035, update to version 6.3.0.35-ISS-ITDS-IF0035 or later. For IBM Security Directory Server versions 6.3.1 through 6.3.1.9-ISS-ISDS-IF0009, update to version 6.3.1.9-ISS-ISDS-IF0009 or later.

🚨 CVE-2015-1637 Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1067. 🎖@cveNotify

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 8.1.3 Apple TV versions prior to 7.0.3 **Description** The issue concerns the mach port kobject interface in the kernel, which does not properly restrict certain information. This makes it easier for attackers to bypass a security protection mechanism. **Recommendations** For Apple iOS versions prior to 8.1.3, update to version 8.1.3 or later. For Apple TV versions prior to 7.0.3, update to version 7.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** nginx versions 0.5.6 through 1.7.4 **Description** The issue allows remote attackers with certain privileges to conduct virtual host confusion attacks by reusing a cached SSL session for an unrelated context when the same shared ssl session cache or ssl session ticket key is used for multiple servers. **Recommendations** For versions 0.5.6 through 1.7.4, consider using unique ssl session cache or ssl session ticket key for each server to prevent the reuse of cached SSL sessions across different contexts.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 33.0.1750.117 **Description** The issue concerns the SSLClientSocketNSS::Core::OwnAuthCertHandler function in Google Chrome, which does not prevent changes to server X.509 certificates during renegotiations. This allows remote SSL servers to trigger the use of a new certificate chain by initiating a TLS renegotiation, potentially inconsistent with the user's expectations. **Recommendations** For versions prior to 33.0.1750.117, update to version 33.0.1750.117 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k openssl-1.0.1e openssl-devel-1.0.1e openssl-static-1.0.1e openssl-libs-1.0.1e openssl-debuginfo-1.0.1e **Description** The issue allows remote SSL servers to conduct RSA-to-EXPORT RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. This can lead to a denial of service condition or allow an attacker to gain access to sensitive data. The vulnerability can be exploited remotely. **Recommendations** For versions prior to 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k, update to a version that includes the fix for this issue. For openssl-1.0.1e, openssl-devel-1.0.1e, openssl-static-1.0.1e, openssl-libs-1.0.1e, and openssl-debuginfo-1.0.1e, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the `ssl3 get key exchange` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.0 through 1.0.0p OpenSSL versions 1.0.1 through 1.0.1k openssl-1.0.1e openssl-devel-1.0.1e openssl-static-1.0.1e openssl-libs-1.0.1e openssl-debuginfo-1.0.1e **Description** The issue allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support. This is due to the ssl3 get cert verify function in s3 srvr.c in OpenSSL accepting client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message. The vulnerability can lead to disruption of protected information and can be exploited remotely. **Recommendations** For OpenSSL versions 1.0.0 through 1.0.0p, update to version 1.0.0p or later. For OpenSSL versions 1.0.1 through 1.0.1k, update to version 1.0.1k or later. For openssl-1.0.1e, openssl-devel-1.0.1e, openssl-static-1.0.1e, openssl-libs-1.0.1e, and openssl-debuginfo-1.0.1e, update to a version that is not vulnerable. As a temporary workaround, consider disabling the `ssl3 get cert verify` function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 28.0.1500.71 **Description** The HTTPS implementation does not ensure that headers are terminated by r r (carriage return, newline, carriage return, newline), which allows man-in-the-middle attackers to have an unspecified impact via vectors that trigger header truncation. **Recommendations** For versions prior to 28.0.1500.71, update to version 28.0.1500.71 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions 4.x through 13.0 Mozilla Firefox ESR versions 10.x before 10.0.6 Thunderbird versions 5.0 through 13.0 Thunderbird ESR versions 10.x before 10.0.6 SeaMonkey versions prior to 2.11 **Description** The Content Security Policy functionality does not properly restrict the strings placed into the blocked-uri parameter of a violation report. This allows remote web servers to capture sensitive information, such as OpenID credentials and OAuth 2.0 access tokens, by triggering a violation. **Recommendations** For Mozilla Firefox versions 4.x through 13.0, update to a version after 13.0. For Mozilla Firefox ESR versions 10.x before 10.0.6, update to version 10.0.6 or later. For Thunderbird versions 5.0 through 13.0, update to a version after 13.0. For Thunderbird ESR versions 10.x before 10.0.6, update to version 10.0.6 or later. For SeaMonkey versions prior to 2.11, update to version 2.11 or later.