CVE-2015-7575

MEDIUM

Description

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

References

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html

http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html

http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html

http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html

http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html

http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html

http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html

http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html

http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html

http://rhn.redhat.com/errata/RHSA-2016-0049.html

http://rhn.redhat.com/errata/RHSA-2016-0050.html

http://rhn.redhat.com/errata/RHSA-2016-0053.html

http://rhn.redhat.com/errata/RHSA-2016-0054.html

http://rhn.redhat.com/errata/RHSA-2016-0055.html

http://rhn.redhat.com/errata/RHSA-2016-0056.html

http://www.debian.org/security/2016/dsa-3436

http://www.debian.org/security/2016/dsa-3437

http://www.debian.org/security/2016/dsa-3457

http://www.debian.org/security/2016/dsa-3458

http://www.debian.org/security/2016/dsa-3465

http://www.debian.org/security/2016/dsa-3491

http://www.debian.org/security/2016/dsa-3688

http://www.mozilla.org/security/announce/2015/mfsa2015-150.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.securityfocus.com/bid/79684

http://www.securityfocus.com/bid/91787

http://www.securitytracker.com/id/1034541

http://www.securitytracker.com/id/1036467

http://www.ubuntu.com/usn/USN-2863-1

http://www.ubuntu.com/usn/USN-2864-1

http://www.ubuntu.com/usn/USN-2865-1

http://www.ubuntu.com/usn/USN-2866-1

http://www.ubuntu.com/usn/USN-2884-1

http://www.ubuntu.com/usn/USN-2904-1

https://access.redhat.com/errata/RHSA-2016:1430

https://bugzilla.mozilla.org/show_bug.cgi?id=1158489

https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes

https://security.gentoo.org/glsa/201701-46

https://security.gentoo.org/glsa/201706-18

https://security.gentoo.org/glsa/201801-15

https://security.netapp.com/advisory/ntap-20160225-0001/

Details

Source: MITRE

Published: 2016-01-09

Updated: 2018-10-30

Type: CWE-19

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* versions up to 3.20.1 (inclusive)

Configuration 2

OR

cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:mozilla:firefox_esr:38.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.0.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.0.5:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.1.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.1.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.2.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.2.1:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.3.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.4.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.5.0:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox_esr:38.5.1:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to 43.0.1 (inclusive)

Tenable Plugins

View all (116 total)

IDNameProductFamilySeverity
124891EulerOS Virtualization for ARM 64 3.0.1.0 : gnutls (EulerOS-SA-2019-1388)NessusHuawei Local Security Checks
medium
700654Oracle Java SE 6 < Update 111 / 7 < Update 95 / 8 < Update 71 Multiple Vulnerabilities (January 2016 CPU) (SLOTH)Nessus Network MonitorWeb Clients
critical
119974SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0428-1) (SLOTH)NessusSuSE Local Security Checks
critical
106039GLSA-201801-15 : PolarSSL: Multiple vulnerabilities (SLOTH)NessusGentoo Local Security Checks
high
104123AIX bind Advisory : nettcp_advisory2.asc (IV86116) (IV86117) (IV86118) (IV86119) (IV86120) (IV86132)NessusAIX Local Security Checks
medium
100944GLSA-201706-18 : mbed TLS: Multiple vulnerabilities (SLOTH)NessusGentoo Local Security Checks
medium
96643GLSA-201701-46 : Mozilla Network Security Service (NSS): Multiple vulnerabilities (Logjam) (SLOTH)NessusGentoo Local Security Checks
medium
94181AIX 5.3 TL 12 : nettcp (IV88960) (SLOTH)NessusAIX Local Security Checks
medium
94180AIX 5.3 TL 12 : nettcp (IV88959) (SLOTH)NessusAIX Local Security Checks
medium
94179AIX 5.3 TL 12 : nettcp (IV88957) (SLOTH) (deprecated)NessusAIX Local Security Checks
medium
94178AIX 7.1 TL 3 : nettcp (IV82412) (SLOTH)NessusAIX Local Security Checks
medium
94177AIX 7.1 TL 3 : nettcp (IV82331) (SLOTH) (deprecated)NessusAIX Local Security Checks
medium
94176AIX 7.1 TL 3 : nettcp (IV82330) (SLOTH)NessusAIX Local Security Checks
medium
94175AIX 7.1 TL 3 : nettcp (IV82328) (SLOTH)NessusAIX Local Security Checks
medium
94174AIX 7.1 TL 3 : nettcp (IV82327) (SLOTH)NessusAIX Local Security Checks
medium
94173AIX 6.1 TL 9 : nettcp (IV79072) (SLOTH)NessusAIX Local Security Checks
medium
94172AIX 6.1 TL 9 : nettcp (IV79071) (SLOTH) (deprecated)NessusAIX Local Security Checks
medium
94171AIX 6.1 TL 9 : nettcp (IV79070) (SLOTH)NessusAIX Local Security Checks
medium
94170AIX 6.1 TL 9 : nettcp (IV78625) (SLOTH)NessusAIX Local Security Checks
medium
94169AIX 6.1 TL 9 : nettcp (IV78624) (SLOTH)NessusAIX Local Security Checks
medium
93871Debian DSA-3688-1 : nss - security update (Logjam) (SLOTH)NessusDebian Local Security Checks
high
92565AIX 7.2 TL 0 : nettcp (IV86132) (SLOTH)NessusAIX Local Security Checks
medium
92564AIX 5.3 TL 12 : nettcp (IV86120) (SLOTH)NessusAIX Local Security Checks
medium
92563AIX 7.2 TL 0 : nettcp (IV86119) (SLOTH)NessusAIX Local Security Checks
medium
92562AIX 7.1 TL 4 : nettcp (IV86118) (SLOTH)NessusAIX Local Security Checks
medium
92561AIX 7.1 TL 3 : nettcp (IV86117) (SLOTH)NessusAIX Local Security Checks
medium
92560AIX 6.1 TL 9 : nettcp (IV86116) (SLOTH)NessusAIX Local Security Checks
medium
92400RHEL 5 / 6 : java-1.7.0-ibm and java-1.7.1-ibm (RHSA-2016:1430) (SLOTH)NessusRed Hat Local Security Checks
critical
91379GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)NessusGentoo Local Security Checks
critical
91154OracleVM 3.3 / 3.4 : openssl (OVMSA-2016-0049) (SLOTH)NessusOracleVM Local Security Checks
critical
89989SUSE SLES10 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0776-1) (SLOTH)NessusSuSE Local Security Checks
critical
89961SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0770-1) (SLOTH)NessusSuSE Local Security Checks
critical
89842Amazon Linux AMI : openssl (ALAS-2016-661) (DROWN) (SLOTH)NessusAmazon Linux Local Security Checks
critical
89776Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : thunderbird vulnerabilities (USN-2904-1) (SLOTH)NessusUbuntu Local Security Checks
critical
89657SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0636-1) (SLOTH)NessusSuSE Local Security Checks
critical
89053AIX Java Advisory : java_jan2016_advisory.asc (January 2016 CPU) (SLOTH)NessusAIX Local Security Checks
critical
89021SUSE SLES11 Security Update : MozillaFirefox, MozillaFirefox-branding-SLED, MozillaFirefox-branding-SLES-for-VMware, mozilla-nss (SUSE-SU-2016:0584-1) (SLOTH)NessusSuSE Local Security Checks
critical
89018openSUSE Security Update : bouncycastle (openSUSE-2016-282) (SLOTH)NessusSuSE Local Security Checks
medium
88943Debian DSA-3491-1 : icedove - security update (SLOTH)NessusDebian Local Security Checks
critical
9076Mozilla Firefox < 43.0.2 RSA-MD5 Collision-based Forgery Weakness (SLOTH)Nessus Network MonitorWeb Clients
medium
88830openSUSE Security Update : Thunderbird (openSUSE-2016-225) (SLOTH)NessusSuSE Local Security Checks
critical
88710SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0433-1) (SLOTH)NessusSuSE Local Security Checks
critical
88709SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0431-1) (SLOTH)NessusSuSE Local Security Checks
critical
88703F5 Networks BIG-IP : SLOTH: TLS 1.2 handshake vulnerability (K02201365) (SLOTH)NessusF5 Networks Local Security Checks
medium
88692SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2016:0390-1) (SLOTH)NessusSuSE Local Security Checks
critical
88663Amazon Linux AMI : gnutls (ALAS-2016-651) (SLOTH)NessusAmazon Linux Local Security Checks
medium
88659Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-647) (SLOTH)NessusAmazon Linux Local Security Checks
critical
88657Amazon Linux AMI : nss (ALAS-2016-645) (SLOTH)NessusAmazon Linux Local Security Checks
medium
88655Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-643) (SLOTH)NessusAmazon Linux Local Security Checks
critical
88591AIX OpenSSL Advisory : openssl_advisory16.asc (SLOTH)NessusAIX Local Security Checks
medium
88580Debian DLA-410-1 : openjdk-6 security update (SLOTH)NessusDebian Local Security Checks
critical
88568Debian DSA-3465-1 : openjdk-6 - security update (SLOTH)NessusDebian Local Security Checks
critical
88557RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2016:0101) (SLOTH)NessusRed Hat Local Security Checks
critical
88556RHEL 5 : java-1.7.0-ibm (RHSA-2016:0100) (SLOTH)NessusRed Hat Local Security Checks
critical
88555RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2016:0099) (SLOTH)NessusRed Hat Local Security Checks
critical
88554RHEL 7 : java-1.8.0-ibm (RHSA-2016:0098) (SLOTH)NessusRed Hat Local Security Checks
critical
88550openSUSE Security Update : SeaMonkey (openSUSE-2016-129) (SLOTH)NessusSuSE Local Security Checks
critical
88547openSUSE Security Update : seamonkey (openSUSE-2016-126) (SLOTH)NessusSuSE Local Security Checks
critical
88541openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-115) (SLOTH)NessusSuSE Local Security Checks
critical
88540openSUSE Security Update : Java7 (openSUSE-2016-110) (SLOTH)NessusSuSE Local Security Checks
critical
88538openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-107) (SLOTH)NessusSuSE Local Security Checks
critical
88537openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-106) (SLOTH)NessusSuSE Local Security Checks
critical
88536openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-105) (SLOTH)NessusSuSE Local Security Checks
critical
88516Ubuntu 14.04 LTS / 15.04 / 15.10 : openjdk-7 vulnerabilities (USN-2884-1) (SLOTH)NessusUbuntu Local Security Checks
critical
88486SUSE SLED11 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:0269-1) (SLOTH)NessusSuSE Local Security Checks
critical
88485SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:0265-1) (SLOTH)NessusSuSE Local Security Checks
critical
88453SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2016:0256-1) (SLOTH)NessusSuSE Local Security Checks
critical
88427Debian DSA-3458-1 : openjdk-7 - security update (SLOTH)NessusDebian Local Security Checks
critical
88426Debian DSA-3457-1 : iceweasel - security update (SLOTH)NessusDebian Local Security Checks
critical
88132openSUSE Security Update : polarssl (openSUSE-2016-60) (SLOTH)NessusSuSE Local Security Checks
medium
88131openSUSE Security Update : mbedtls (openSUSE-2016-59) (SLOTH)NessusSuSE Local Security Checks
medium
88082SUSE SLED11 / SLES11 Security Update : mozilla-nss (SUSE-SU-2016:0189-1) (SLOTH)NessusSuSE Local Security Checks
medium
88080Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20160121) (SLOTH)NessusScientific Linux Local Security Checks
critical
88079Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL7.x i386/x86_64 (20160121) (SLOTH)NessusScientific Linux Local Security Checks
critical
88078Scientific Linux Security Update : java-1.8.0-openjdk on SL7.x x86_64 (20160120) (SLOTH)NessusScientific Linux Local Security Checks
critical
88075RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2016:0056) (SLOTH)NessusRed Hat Local Security Checks
critical
88074RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2016:0055) (SLOTH)NessusRed Hat Local Security Checks
critical
88073RHEL 5 / 7 : java-1.7.0-openjdk (RHSA-2016:0054) (SLOTH)NessusRed Hat Local Security Checks
critical
88072RHEL 6 : java-1.7.0-openjdk (RHSA-2016:0053) (SLOTH)NessusRed Hat Local Security Checks
critical
88071Oracle Linux 5 / 7 : java-1.7.0-openjdk (ELSA-2016-0054) (SLOTH)NessusOracle Linux Local Security Checks
critical
88070Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2016-0053) (SLOTH)NessusOracle Linux Local Security Checks
critical
88069Oracle Linux 6 : java-1.8.0-openjdk (ELSA-2016-0050) (SLOTH)NessusOracle Linux Local Security Checks
critical
88063CentOS 5 / 7 : java-1.7.0-openjdk (CESA-2016:0054) (SLOTH)NessusCentOS Local Security Checks
critical
88062CentOS 6 : java-1.7.0-openjdk (CESA-2016:0053) (SLOTH)NessusCentOS Local Security Checks
critical
88061CentOS 6 : java-1.8.0-openjdk (CESA-2016:0050) (SLOTH)NessusCentOS Local Security Checks
critical
88060CentOS 7 : java-1.8.0-openjdk (CESA-2016:0049) (SLOTH)NessusCentOS Local Security Checks
critical
88046Oracle Java SE Multiple Vulnerabilities (January 2016 CPU) (SLOTH) (Unix)NessusMisc.
critical
88045Oracle Java SE Multiple Vulnerabilities (January 2016 CPU) (SLOTH)NessusWindows
critical
88041Oracle JRockit R28 < R28.3.9 Multiple Vulnerabilities (January 2016 CPU) (SLOTH)NessusWindows
critical
88037Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x i386/x86_64 (20160120) (SLOTH)NessusScientific Linux Local Security Checks
critical
88036RHEL 6 : java-1.8.0-openjdk (RHSA-2016:0050) (SLOTH)NessusRed Hat Local Security Checks
critical
88035RHEL 7 : java-1.8.0-openjdk (RHSA-2016:0049) (SLOTH)NessusRed Hat Local Security Checks
critical
88031Oracle Linux 7 : java-1.8.0-openjdk (ELSA-2016-0049) (SLOTH)NessusOracle Linux Local Security Checks
critical
87988SUSE SLED12 / SLES12 Security Update : mozilla-nss (SUSE-SU-2016:0149-1) (SLOTH)NessusSuSE Local Security Checks
medium
87846Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : firefox vulnerability (USN-2866-1) (SLOTH)NessusUbuntu Local Security Checks
medium
87845Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : gnutls26, gnutls28 vulnerability (USN-2865-1) (SLOTH)NessusUbuntu Local Security Checks
medium
87841Scientific Linux Security Update : openssl on SL6.x, SL7.x i386/x86_64 (20160107) (SLOTH)NessusScientific Linux Local Security Checks
medium
87840Scientific Linux Security Update : nss on SL6.x, SL7.x i386/x86_64 (20160107) (SLOTH)NessusScientific Linux Local Security Checks
medium
87838Scientific Linux Security Update : gnutls on SL6.x, SL7.x i386/x86_64 (20160107) (SLOTH)NessusScientific Linux Local Security Checks
medium
87828Debian DSA-3437-1 : gnutls26 - security update (SLOTH)NessusDebian Local Security Checks
medium
87827Debian DSA-3436-1 : openssl - security update (SLOTH)NessusDebian Local Security Checks
medium
87816Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : nss vulnerability (USN-2864-1) (SLOTH)NessusUbuntu Local Security Checks
medium
87815Ubuntu 12.04 LTS : openssl vulnerability (USN-2863-1) (SLOTH)NessusUbuntu Local Security Checks
medium
87812RHEL 6 / 7 : gnutls (RHSA-2016:0012) (SLOTH)NessusRed Hat Local Security Checks
medium
87808RHEL 6 / 7 : openssl (RHSA-2016:0008) (SLOTH)NessusRed Hat Local Security Checks
medium
87807RHEL 6 / 7 : nss (RHSA-2016:0007) (SLOTH)NessusRed Hat Local Security Checks
medium
87800OracleVM 3.3 : openssl (OVMSA-2016-0001) (SLOTH)NessusOracleVM Local Security Checks
medium
87799Oracle Linux 6 / 7 : gnutls (ELSA-2016-0012) (SLOTH)NessusOracle Linux Local Security Checks
medium
87795Oracle Linux 6 / 7 : openssl (ELSA-2016-0008) (SLOTH)NessusOracle Linux Local Security Checks
medium
87794Oracle Linux 6 / 7 : nss (ELSA-2016-0007) (SLOTH)NessusOracle Linux Local Security Checks
medium
87785CentOS 6 / 7 : gnutls (CESA-2016:0012) (SLOTH)NessusCentOS Local Security Checks
medium
87781CentOS 6 / 7 : openssl (CESA-2016:0008) (SLOTH)NessusCentOS Local Security Checks
medium
87780CentOS 6 / 7 : nss (CESA-2016:0007) (SLOTH)NessusCentOS Local Security Checks
medium
87719openSUSE Security Update : MozillaFirefox (openSUSE-2016-6) (SLOTH)NessusSuSE Local Security Checks
medium
87717openSUSE Security Update : mozilla-nss (openSUSE-2015-978) (SLOTH)NessusSuSE Local Security Checks
medium
87609FreeBSD : NSS -- MD5 downgrade in TLS 1.2 signatures (10f7bc76-0335-4a88-b391-0b05b3a8ce1c) (SLOTH)NessusFreeBSD Local Security Checks
medium