|
|
|
|
| |
| A vulnerability exists in the Netscape Network Security Services (NSS) library suite that may result in remote compromise of products making use of this library for Secure Sockets Layer (SSL) communication. Netscape Enterprise Server and Sun One are widely used commercial web server platforms that make use of the NSS library. There is a security flaw in the NSS library that can result in arbitrary code execution on vulnerable systems during SSLv2 connection negotiation. |
| |
Credit:
The information has been provided by Mark Dowd.
The original article can be found at: http://xforce.iss.net/xforce/alerts/id/180
|
| |
Affected Products:
* Netscape Network Security Services (NSS) Library - All known versions
The NSS library is used by the following products to provide SSL functionality:
* Netscape - Enterprise Server (NES) - All known versions
* Netscape - Personalization Engine (NPE) - All known versions
* Netscape - Directory Server (NDS) - All known versions
* Netscape - Certificate Management Server (CMS) - All known versions
* Sun - Sun One/iPlanet - All known versions
* Any application or product that integrates the NSS library suite and which implements SSLv2 ciphers
Impact:
If the SSLv2 protocol is enabled on vulnerable servers, a remote unauthenticated attacker may trigger a buffer overflow condition and execute arbitrary code. This has the potential to result in complete compromise of the target server, and exposure of any information held therein. In addition, SSL is often used to secure sensitive or valuable communications, making this a high-value target for attackers.
Description:
The NSS library is predominantly used by Netscape Enterprise Server (NES) and Sun One / Sun Java System Web Server. These web platforms are widely used in high-traffic environments to serve web content. Secure Sockets Layer is an industry-standard method for encrypting sensitive traffic, and is used widely to secure sensitive web communications.
The NSS library is a shared component used by many different products, and is publicly available as an open-source component from the Mozilla Foundation. Although Netscape Enterprise Server and Sun One are the most likely targets for attack, due to the open-source nature of the component there may be additional affected products that are not listed above.
The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv2 negotiation, the client hello message, the server fails to validate the length of a record field. As a result, it is possible for an attacker to trigger a heap-based overflow of arbitrary length. The SSLv2 protocol is disabled by default in Netscape Enterprise Server and Sun One, however it is believed to be common practice to enable this protocol and a significant percentage of the install base is likely affected. Successful exploitation of this vulnerability will grant an attacker the privilege level at which the web server was executing. On Windows platforms, this will likely be system wide privileges, while on other platforms this may be restricted to a non-root account.
Additional Recommendations:
For manual protection, a vendor-supplied update for the NSS library is available for download from the Mozilla ftp site:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM
In addition, it is possible to mitigate risk associated with this vulnerability by disabling SSLv2 and all associated SSLv2 ciphers:
For Netscape Enterprise, to disable SSL 2 via the admin server:
1. Log into admin
2. Select the instance you want (or stay in and configure the admin server)
3. Select the Preferences tab
4. For the listen socket that has SSL enabled, select Attributes
5. Under Ciphers select SSL2
6. Uncheck "SSL version 2". One may also disable all of the SSL 2 ciphers here.
7. Click Ok, then Quit to get rid of the window
8. Click Apply in upper-right of browser
9. Click Apply Changes and restart the server
10. Enter your SSL password when prompted
Additional Information:
Workaround information for product suites other than Netscape Enterprise Server is available from the appropriate vendor advisory.
|
|
|
|
|
|
|
|
|
|
