PT-2018-2488 · Mozilla+5 · Network Security Services+5

Eyal Ronen

Published

2018-08-23

Updated

2024-06-15

CVE-2018-12404

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Network Security Services (NSS) versions prior to 3.41

Description A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This issue is related to errors in cryptographic transformations and can be exploited to gain unauthorized access to protected information. The attack is a variant of the Adaptive Chosen Ciphertext attack, also known as the Bleichenbacher attack. It may also involve downgrading the used TLS protocol version, allowing an attacker to access protected information using a side channel.

Recommendations For NSS versions prior to 3.41, update to version 3.41 or later to resolve the issue. As a temporary workaround, consider restricting the use of RSA encryption for handshakes until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310CWE-200

Related Identifiers

ALT-PU-2019-1172

BDU:2019-00775

BDU:2019-01763

CESA-2019_2237

CVE-2018-12404

DLA-1704-1

DLA-2388-1

MGASA-2018-0482

OPENSUSE-SU-2018_4117-1

OPENSUSE-SU-2019:0183-1

OPENSUSE-SU-2019:1758-1

OPENSUSE-SU-2019_0183-1

OPENSUSE-SU-2019_1758-1

OPENSUSE-SU-2024:11058-1

RHSA-2019:2237

RHSA-2019_2237

SUSE-SU-2018:4235-1

SUSE-SU-2018:4236-1

SUSE-SU-2018:4236-2

SUSE-SU-2019:0273-1

USN-3850-1

USN-3850-2

Affected Products

Alt Linux

Centos

Network Security Services

Red Hat

Suse

Ubuntu

PT-2018-2488 · Mozilla+5 · Network Security Services+5

CVE-2018-12404

Weakness Enumeration

Related Identifiers

Affected Products

References · 76