CVE-2020-12402

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.

References

https://www.mozilla.org/security/advisories/mfsa2020-24/

https://bugzilla.mozilla.org/show_bug.cgi?id=1631597

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00016.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00018.html

https://usn.ubuntu.com/4417-1/

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00027.html

https://www.debian.org/security/2020/dsa-4726

https://lists.fedoraproject.org/archives/list/[email protected]/message/UWVDJRARXNWWWTCGMM63EXLQHH2LNOXO/

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00049.html

https://security.gentoo.org/glsa/202007-10

https://usn.ubuntu.com/4417-2/

https://lists.fedoraproject.org/archives/list/[email protected]/message/RFL6UNFK4MG2WDXLMLFAEIUSM5EUK7CG/

https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html

Details

Source: MITRE

Published: 2020-07-09

Updated: 2021-07-21

Type: CWE-327

Risk Information

CVSS v2

Base Score: 1.2

Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 1.9

Severity: LOW

CVSS v3

Base Score: 4.4

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 0.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Tenable Plugins

View all (38 total)

IDNameProductFamilySeverity
151520Amazon Linux AMI : nspr, nss-softokn, nss-util (ALAS-2021-1522)NessusAmazon Linux Local Security Checks
critical
150683SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2020:14421-1)NessusSuSE Local Security Checks
high
150659SUSE SLES11 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2020:14418-1)NessusSuSE Local Security Checks
critical
150225EulerOS 2.0 SP9 : nss (EulerOS-SA-2021-1931)NessusHuawei Local Security Checks
medium
150202EulerOS 2.0 SP9 : nss (EulerOS-SA-2021-1952)NessusHuawei Local Security Checks
medium
148628EulerOS Virtualization 2.9.1 : nss (EulerOS-SA-2021-1717)NessusHuawei Local Security Checks
medium
148627EulerOS Virtualization 2.9.0 : nss (EulerOS-SA-2021-1744)NessusHuawei Local Security Checks
medium
147361NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2021-0019)NessusNewStart CGSL Local Security Checks
critical
147281NewStart CGSL MAIN 6.02 : nss Multiple Vulnerabilities (NS-SA-2021-0053)NessusNewStart CGSL Local Security Checks
critical
147038EulerOS Virtualization for ARM 64 3.0.6.0 : nss-softokn (EulerOS-SA-2021-1536)NessusHuawei Local Security Checks
critical
145878CentOS 8 : nss and nspr (CESA-2020:3280)NessusCentOS Local Security Checks
critical
145774EulerOS 2.0 SP8 : nss-softokn (EulerOS-SA-2021-1155)NessusHuawei Local Security Checks
critical
142720Amazon Linux 2 : nspr (ALAS-2020-1559)NessusAmazon Linux Local Security Checks
critical
142600CentOS 7 : nss and nspr (CESA-2020:4076)NessusCentOS Local Security Checks
critical
141689Scientific Linux Security Update : nss and nspr on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
critical
141312Oracle Linux 7 : nss / and / nspr (ELSA-2020-4076)NessusOracle Linux Local Security Checks
critical
141062Debian DLA-2388-1 : nss security updateNessusDebian Local Security Checks
critical
141059RHEL 7 : nss and nspr (RHSA-2020:4076)NessusRed Hat Local Security Checks
critical
139397Oracle Linux 8 : nspr / nss (ELSA-2020-3280)NessusOracle Linux Local Security Checks
high
139293RHEL 8 : nss and nspr (RHSA-2020:3280)NessusRed Hat Local Security Checks
critical
139256Fedora 31 : nspr / nss (2020-16741ac7ff)NessusFedora Local Security Checks
medium
138933GLSA-202007-10 : Mozilla Firefox: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
138786openSUSE Security Update : MozillaFirefox (openSUSE-2020-1017)NessusSuSE Local Security Checks
high
138747openSUSE Security Update : MozillaFirefox (openSUSE-2020-983)NessusSuSE Local Security Checks
high
138736openSUSE Security Update : mozilla-nss (openSUSE-2020-955)NessusSuSE Local Security Checks
medium
138734openSUSE Security Update : mozilla-nss (openSUSE-2020-953)NessusSuSE Local Security Checks
medium
138653Fedora 32 : nspr / nss (2020-3ef1937475)NessusFedora Local Security Checks
medium
138646Debian DSA-4726-1 : nss - security updateNessusDebian Local Security Checks
critical
138589Mozilla Thunderbird < 78.0NessusWindows
high
138588Mozilla Thunderbird < 78.0NessusMacOS X Local Security Checks
high
138494SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2020:1899-1)NessusSuSE Local Security Checks
high
138493SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2020:1898-1)NessusSuSE Local Security Checks
high
138317SUSE SLED15 / SLES15 Security Update : mozilla-nss (SUSE-SU-2020:1850-1)NessusSuSE Local Security Checks
medium
138314SUSE SLES12 Security Update : mozilla-nspr, mozilla-nss (SUSE-SU-2020:1839-1)NessusSuSE Local Security Checks
critical
138167Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : NSS vulnerability (USN-4417-1)NessusUbuntu Local Security Checks
medium
138085Mozilla Firefox < 78.0NessusWindows
high
138084Mozilla Firefox < 78.0NessusMacOS X Local Security Checks
high
137909Debian DLA-2266-1 : nss security updateNessusDebian Local Security Checks
medium