PT-2014-2487 · Mozilla+4 · Network Security Services+4

Published

2014-01-18

Updated

2024-06-15

CVE-2013-1740

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.15.4

Description The issue allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic when the TLS False Start feature is enabled. This is due to a problem in the ssl Do1stHandshake function in sslsecur.c in libssl.

Recommendations For versions prior to 3.15.4, update to version 3.15.4 or later to resolve the issue. As a temporary workaround, consider disabling the TLS False Start feature until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

ALT-PU-2014-1209

CESA-2014_0917

CVE-2013-1740

MGASA-2014-0024

OPENSUSE-SU-2014_0213-1

OPENSUSE-SU-2024:10451-1

RHSA-2014:0917

RHSA-2014:1246

RHSA-2014_0917

RHSA-2014_1246

Affected Products

Alt Linux

Centos

Network Security Services

Red Hat

Suse

PT-2014-2487 · Mozilla+4 · Network Security Services+4

CVE-2013-1740

Weakness Enumeration

Related Identifiers

Affected Products

References · 139