PT-2015-5857 · Mozilla+4 · Thunderbird+7

Karthikeyan Bhargavan

·

Published

2015-06-25

·

Updated

2024-12-12

·

CVE-2015-2721

CVSS v2.0

4.3

Medium

VectorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Mozilla Network Security Services (NSS) versions prior to 3.19 Mozilla Firefox versions prior to 39.0 Firefox ESR versions 31.x prior to 31.8 Firefox ESR versions 38.x prior to 38.1 Thunderbird versions prior to 38.1
Description The issue is related to the TLS state machine, where state transitions are not properly determined, allowing man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages. This can be demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, also known as a "SMACK SKIP-TLS" issue.
Recommendations For Mozilla Network Security Services (NSS) versions prior to 3.19, update to version 3.19 or later. For Mozilla Firefox versions prior to 39.0, update to version 39.0 or later. For Firefox ESR versions 31.x prior to 31.8, update to version 31.8 or later. For Firefox ESR versions 38.x prior to 38.1, update to version 38.1 or later. For Thunderbird versions prior to 38.1, update to version 38.1 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CESA-2015_1185
CVE-2015-2721
DLA-315-1
DSA-3300-1
DSA-3324-1
DSA-3336-1
MGASA-2015-0268
OPENSUSE-SU-2015_1229-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10230-1
OPENSUSE-SU-2024:10451-1
OPENSUSE-SU-2024:14572-1
RHSA-2015:1185
RHSA-2015:1664
RHSA-2015_1185
RHSA-2015_1664
SUSE-SU-2015:1268-1
SUSE-SU-2015:1268-2
SUSE-SU-2015:1269-1
SUSE-SU-2015:1449-1
SUSE-SU-2015_1268-1
SUSE-SU-2015_1268-2
SUSE-SU-2015_1269-1
USN-2656-1
USN-2656-2
USN-2672-1
USN-2673-1

Affected Products

Centos
Firefox
Firefox Esr
Network Security Services
Red Hat
Suse
Thunderbird
Ubuntu