CVE-2013-1740

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

References

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/64944

http://www.ubuntu.com/usn/USN-2088-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

https://bugs.gentoo.org/show_bug.cgi?id=498172

https://bugzilla.mozilla.org/show_bug.cgi?id=919877

https://bugzilla.redhat.com/show_bug.cgi?id=1053725

https://developer.mozilla.org/docs/NSS/NSS_3.15.4_release_notes

https://exchange.xforce.ibmcloud.com/vulnerabilities/90394

Details

Source: MITRE

Published: 2014-01-18

Updated: 2018-10-09

Type: CWE-310

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:network_security_services:3.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.3.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.4.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.4.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.6.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.7.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.11.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.3.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.3.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.6:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.7:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.8:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.9:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.10:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.12.11:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.3:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.4:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.14.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:3.15.2:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* versions up to 3.15.3 (inclusive)

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
127200NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2019-0033)NessusNewStart CGSL Local Security Checks
high
91202F5 Networks BIG-IP : Multiple Mozilla NSS vulnerabilities (K16716)NessusF5 Networks Local Security Checks
critical
78774Oracle OpenSSO Agent Multiple Vulnerabilities (October 2014 CPU)NessusCGI abuses
high
78541Oracle WebLogic Server Multiple Vulnerabilities (October 2014 CPU)NessusMisc.
high
77993CentOS 5 : nss (CESA-2014:1246)NessusCentOS Local Security Checks
critical
77955Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20140916)NessusScientific Linux Local Security Checks
critical
77739Oracle Linux 5 : nspr / nss (ELSA-2014-1246)NessusOracle Linux Local Security Checks
critical
77699RHEL 5 : nss and nspr (RHSA-2014:1246)NessusRed Hat Local Security Checks
critical
76938Oracle Traffic Director Multiple Vulnerabilities (July 2014 CPU)NessusMisc.
high
76702Scientific Linux Security Update : nss and nspr on SL6.x i386/x86_64 (20140722)NessusScientific Linux Local Security Checks
critical
76698RHEL 6 : nss and nspr (RHSA-2014:0917)NessusRed Hat Local Security Checks
critical
76694Oracle Linux 6 : nspr / nss (ELSA-2014-0917)NessusOracle Linux Local Security Checks
critical
76686CentOS 6 : nspr / nss / nss-util (CESA-2014:0917)NessusCentOS Local Security Checks
critical
76593Oracle iPlanet Web Server 7.0.x < 7.0.20 Multiple VulnerabilitiesNessusWeb Servers
high
76592Oracle iPlanet Web Proxy Server 4.0 < 4.0.24 Multiple VulnerabilitiesNessusWindows
high
76591Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU)NessusWeb Servers
high
75253openSUSE Security Update : firefox / seamonkey / thunderbird (openSUSE-SU-2014:0212-1)NessusSuSE Local Security Checks
critical
72269Fedora 19 : nss-3.15.4-1.fc19 / nss-softokn-3.15.4-1.fc19 / nss-util-3.15.4-1.fc19 (2014-1100)NessusFedora Local Security Checks
medium
72188Slackware 14.0 / 14.1 / current : mozilla-nss (SSA:2014-028-02)NessusSlackware Local Security Checks
medium
72116Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : nss vulnerability (USN-2088-1)NessusUbuntu Local Security Checks
medium
72056Mandriva Linux Security Advisory : nss (MDVSA-2014:012)NessusMandriva Local Security Checks
medium
72050Fedora 20 : nss-3.15.4-1.fc20 / nss-softokn-3.15.4-1.fc20 / nss-util-3.15.4-1.fc20 (2014-1120)NessusFedora Local Security Checks
medium