PT-2023-6229 · Mozilla+11 · Thunderbird+14

Hubert Kario

·

Published

2023-10-04

·

Updated

2026-03-30

·

CVE-2023-5388

CVSS v2.0

8.5

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Network Security Services (NSS) versions prior to the fixed version Firefox versions prior to 124 Firefox ESR versions prior to 115.9 Thunderbird versions prior to 115.9
Description The issue is related to the implementation of PKCS#1 v1.5, OAEP, and RSASVP standards in the NSS library, which lacks sufficient protection of service data due to a timing discrepancy. This allows a remote attacker to perform a Bleichenbacher or Marvin attack, potentially recovering private data. The vulnerability is also described as a timing side-channel attack when performing RSA decryption.
Recommendations For NSS, update to a version that includes the fix for this issue. For Firefox versions prior to 124, update to version 124 or later. For Firefox ESR versions prior to 115.9, update to version 115.9 or later. For Thunderbird versions prior to 115.9, update to version 115.9 or later. As a temporary workaround, consider restricting the use of RSA decryption in the affected software until a patch is available.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-208CWE-203

Related Identifiers

ALSA-2024:0105
ALSA-2024:0108
ALSA-2024:1484
ALSA-2024:1485
ALSA-2024:1493
ALSA-2024:1494
ALT-PU-2024-15839
ALT-PU-2024-4271
ALT-PU-2024-4963
ALT-PU-2024-4971
ALT-PU-2024-4973
ALT-PU-2024-5117
ALT-PU-2024-6027
ALT-PU-2024-6213
BDU:2023-06938
CESA-2024_0105
CESA-2024_1484
CESA-2024_1486
CESA-2024_1494
CESA-2024_1498
CVE-2023-5388
DLA-3757-1
DLA-3769-1
DLA-3775-1
DSA-5643-1
DSA-5644-1
ECHO-A217-D7D1-126E
MGASA-2024-0049
MGASA-2024-0092
MGASA-2024-0094
OESA-2025-1265
OESA-2025-1268
OPENSUSE-SU-2024:13789-1
OPENSUSE-SU-2024:13793-1
OPENSUSE-SU-2024:13795-1
OPENSUSE-SU-2024:14572-1
OPENSUSE-SU-2024_0597-1
RHSA-2024:0093
RHSA-2024:0105
RHSA-2024:0106
RHSA-2024:0107
RHSA-2024:0108
RHSA-2024:1483
RHSA-2024:1484
RHSA-2024:1485
RHSA-2024:1486
RHSA-2024:1487
RHSA-2024:1488
RHSA-2024:1489
RHSA-2024:1490
RHSA-2024:1491
RHSA-2024:1492
RHSA-2024:1493
RHSA-2024:1494
RHSA-2024:1495
RHSA-2024:1496
RHSA-2024:1497
RHSA-2024:1498
RHSA-2024:1499
RHSA-2024:1500
RHSA-2024_0105
RHSA-2024_0108
RHSA-2024_1484
RHSA-2024_1485
RHSA-2024_1486
RHSA-2024_1493
RHSA-2024_1494
RHSA-2024_1498
RLSA-2024:0105
RLSA-2024:1484
RLSA-2024:1494
SUSE-RU-2024:2564-1
SUSE-RU-2024:2684-1
SUSE-SU-2024:0578-1
SUSE-SU-2024:0579-1
SUSE-SU-2024:0597-1
SUSE-SU-2024:0971-1
SUSE-SU-2024:1002-1
SUSE-SU-2024:1147-1
SUSE-SU-2024:2600-1
SUSE-SU-2024_0578-1
SUSE-SU-2024_0579-1
SUSE-SU-2024_0597-1
SUSE-SU-2024_0971-1
SUSE-SU-2024_1002-1
SUSE-SU-2024_2600-1
SUSE-SU-2025:20030-1
USN-6703-1
USN-6717-1
USN-6727-1
USN-6727-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Firefox
Firefox Esr
Linuxmint
Network Security Services
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu