Vulnerability detected in Mozilla NSS.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability detected in Mozilla NSS.

Rao, Pankaj
Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


  *   CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


  *   CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability detected in Mozilla NSS.

Franziskus Kiefer
Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the
NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for
development not production. Release builds of NSS should be built with
--system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when
building with make) to use the system sqlite library, which hopefully gets
updated regularly.

Cheers,
Franziskus

On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <[hidden email]> wrote:

> Hi All,
>
> We are using Mozilla NSS within our product. While scanning our product
> with OWASP we found vulnerability in Mozilla NSS.
>
>
>   *   CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations
> within the Bounds of a Memory Buffer
> The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as
> used in GDAL and other products, mishandles undersized RTree blobs in a
> crafted database, leading to a heap-based buffer over-read or possibly
> unspecified other impact.
>
>
>   *   CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations
> within the Bounds of a Memory Buffer
> Multiple buffer overflows in the printf functionality in SQLite, as used
> in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to
> execute arbitrary code or cause a denial of service (application crash) via
> unspecified vectors.
>
> Both these vulnerabilities are in sqlite dll which gets compiled with
> Mozilla NSS source code.
>
> We had downloaded the most recent version of NSS source code that gets
> build successfully on Visual Studio 2010 (3.27) and found the vulnerability
> is still present.
>
> Please let us know when these vulnerabilities will get addressed.
>
> Thanks and Regards,
> Pankaj Rao
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

RE: Vulnerability detected in Mozilla NSS.

Rao, Pankaj
Thanks Franziskus for the quick response.
Also please note that we are unable to built the latest versions of NSS on Visual Studio 2010.
Is it the case that the latest versions makefiles are compatible with Visual Studio 2015?

Thanks,
Pankaj Rao


From: Franziskus Kiefer [mailto:[hidden email]]
Sent: 13 December 2017 00:49
To: Rao, Pankaj <[hidden email]>
Cc: [hidden email]
Subject: Re: Vulnerability detected in Mozilla NSS.

Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for development not production. Release builds of NSS should be built with --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when building with make) to use the system sqlite library, which hopefully gets updated regularly.

Cheers,
Franziskus

On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <[hidden email]<mailto:[hidden email]>> wrote:
Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


  *   CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


  *   CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list
[hidden email]<mailto:[hidden email]>
https://lists.mozilla.org/listinfo/dev-security<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability detected in Mozilla NSS.

Franziskus Kiefer
I think Visual Studio 2015 is the oldest version support to build NSS. I
would recommend using VS 2015 or VS 2017 to build NSS.

Cheers

On Tue, Dec 12, 2017 at 11:08 PM, Rao, Pankaj <[hidden email]> wrote:

> Thanks Franziskus for the quick response.
>
> Also please note that we are unable to built the latest versions of NSS on
> Visual Studio 2010.
>
> Is it the case that the latest versions makefiles are compatible with
> Visual Studio 2015?
>
>
>
> Thanks,
>
> Pankaj Rao
>
>
>
>
>
> *From:* Franziskus Kiefer [mailto:[hidden email]]
> *Sent:* 13 December 2017 00:49
> *To:* Rao, Pankaj <[hidden email]>
> *Cc:* [hidden email]
> *Subject:* Re: Vulnerability detected in Mozilla NSS.
>
>
>
> Hi Pankaj,
>
>
>
> thanks for pointing out the vulnerabilities in the version of sqlite in
> the NSS source tree.
>
> We'll look into updating the sqlite copy in NSS.
>
> But note that the sqlite code in the NSS source tree is meant for
> development not production. Release builds of NSS should be built with
> --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when
> building with make) to use the system sqlite library, which hopefully gets
> updated regularly.
>
>
>
> Cheers,
>
> Franziskus
>
>
>
> On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <[hidden email]> wrote:
>
> Hi All,
>
> We are using Mozilla NSS within our product. While scanning our product
> with OWASP we found vulnerability in Mozilla NSS.
>
>
>   *   CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations
> within the Bounds of a Memory Buffer
> The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as
> used in GDAL and other products, mishandles undersized RTree blobs in a
> crafted database, leading to a heap-based buffer over-read or possibly
> unspecified other impact.
>
>
>   *   CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations
> within the Bounds of a Memory Buffer
> Multiple buffer overflows in the printf functionality in SQLite, as used
> in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to
> execute arbitrary code or cause a denial of service (application crash) via
> unspecified vectors.
>
> Both these vulnerabilities are in sqlite dll which gets compiled with
> Mozilla NSS source code.
>
> We had downloaded the most recent version of NSS source code that gets
> build successfully on Visual Studio 2010 (3.27) and found the vulnerability
> is still present.
>
> Please let us know when these vulnerabilities will get addressed.
>
> Thanks and Regards,
> Pankaj Rao
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>
>
>
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

RE: Vulnerability detected in Mozilla NSS.

Rao, Pankaj
In that case can we backport the vulnerability fix on previous version of NSS source code (3.27/3.28) so that it gets compiled with VS 2010.

Thanks and Regards,
Pankaj Rao

From: Franziskus Kiefer [mailto:[hidden email]]
Sent: 14 December 2017 19:11
To: Rao, Pankaj <[hidden email]>
Cc: [hidden email]
Subject: Re: Vulnerability detected in Mozilla NSS.

I think Visual Studio 2015 is the oldest version support to build NSS. I would recommend using VS 2015 or VS 2017 to build NSS.

Cheers

On Tue, Dec 12, 2017 at 11:08 PM, Rao, Pankaj <[hidden email]<mailto:[hidden email]>> wrote:
Thanks Franziskus for the quick response.
Also please note that we are unable to built the latest versions of NSS on Visual Studio 2010.
Is it the case that the latest versions makefiles are compatible with Visual Studio 2015?

Thanks,
Pankaj Rao


From: Franziskus Kiefer [mailto:[hidden email]<mailto:[hidden email]>]
Sent: 13 December 2017 00:49
To: Rao, Pankaj <[hidden email]<mailto:[hidden email]>>
Cc: [hidden email]<mailto:[hidden email]>
Subject: Re: Vulnerability detected in Mozilla NSS.

Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for development not production. Release builds of NSS should be built with --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when building with make) to use the system sqlite library, which hopefully gets updated regularly.

Cheers,
Franziskus

On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <[hidden email]<mailto:[hidden email]>> wrote:
Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


  *   CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


  *   CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list
[hidden email]<mailto:[hidden email]>
https://lists.mozilla.org/listinfo/dev-security<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

RE: Vulnerability detected in Mozilla NSS.

Rao, Pankaj
In reply to this post by Franziskus Kiefer
Hi Franziskus,
Could you please let us know whether the below mentioned vulnerabilities are addressed in NSS code?
Thanks,
Pankaj



From: Franziskus Kiefer [mailto:[hidden email]]
Sent: 14 December 2017 19:11
To: Rao, Pankaj <[hidden email]>
Cc: [hidden email]
Subject: Re: Vulnerability detected in Mozilla NSS.

I think Visual Studio 2015 is the oldest version support to build NSS. I would recommend using VS 2015 or VS 2017 to build NSS.

Cheers

On Tue, Dec 12, 2017 at 11:08 PM, Rao, Pankaj <[hidden email]<mailto:[hidden email]>> wrote:
Thanks Franziskus for the quick response.
Also please note that we are unable to built the latest versions of NSS on Visual Studio 2010.
Is it the case that the latest versions makefiles are compatible with Visual Studio 2015?

Thanks,
Pankaj Rao


From: Franziskus Kiefer [mailto:[hidden email]<mailto:[hidden email]>]
Sent: 13 December 2017 00:49
To: Rao, Pankaj <[hidden email]<mailto:[hidden email]>>
Cc: [hidden email]<mailto:[hidden email]>
Subject: Re: Vulnerability detected in Mozilla NSS.

Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for development not production. Release builds of NSS should be built with --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when building with make) to use the system sqlite library, which hopefully gets updated regularly.

Cheers,
Franziskus

On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <[hidden email]<mailto:[hidden email]>> wrote:
Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


  *   CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


  *   CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list
[hidden email]<mailto:[hidden email]>
https://lists.mozilla.org/listinfo/dev-security<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

RE: Vulnerability detected in Mozilla NSS.

Khandelwal, Kushal
Hello Mozilla Team

We are using Mozilla NSS in our product for TLS 1.2 implementation. Recently our clients have enquired about vulnerability VU#144389 with following description:

Summary : TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding

Link to vulnerability details:
https://www.kb.cert.org/vuls/id/144389


Is Mozilla code affected with this vulnerability?

Thanks
Kushal

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability detected in Mozilla NSS.

Frederik Braun
I can't speak for the NSS team, but your links points to the ROBOT
attack (https://robotattack.org/).
Looking at their website and documents, it doesn't seem like they found
any issues with NSS.

On 09.01.2018 12:56, Khandelwal, Kushal wrote:

> Hello Mozilla Team
>
> We are using Mozilla NSS in our product for TLS 1.2 implementation. Recently our clients have enquired about vulnerability VU#144389 with following description:
>
> Summary : TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding
>
> Link to vulnerability details:
> https://www.kb.cert.org/vuls/id/144389
>
>
> Is Mozilla code affected with this vulnerability?
>
> Thanks
> Kushal
>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security