lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <R8hUelh01uEjRhmJYA2V9WCtwHLh3EscgGPKn63fV5E1CEFyOAsd_jnWO2eUVKuLkIqjB79K7wJqlVd-0kXbNmPS8aqrW4WojyJryyqAvkc=@protonmail.ch>
Date: Wed, 09 Aug 2017 15:56:22 -0400
From: geeknik via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Multiple unpatched flaws exist in NSS (CVE-2017-11695,
	CVE-2017-11696, CVE-2017-11697, CVE-2017-11698)

Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.

What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository (https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db` files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc.

CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782

CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778

CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900

CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779

These flaws were discovered by Brian Carpenter of Geeknik Labs (http://www.geeknik.net) using the American Fuzzy Lop tool.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ