Bug 1060953 (CVE-2014-1490)

Summary: CVE-2014-1490 nss: TOCTOU, potential use-after-free in libssl's session ticket processing (MFSA 2014-12)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: emaldona, jkurik, jrusnack, pfrields, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss 3.15.4 Doc Type: Bug Fix
Doc Text:
A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-18 03:04:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1101846, 1113849, 1113853    
Bug Blocks: 1054104, 1063682    

Description Huzaifa S. Sidhpurwala 2014-02-04 02:19:43 UTC 
As per: http://tools.ietf.org/html/rfc5077#section-3.3:

"The client MUST NOT treat the ticket as valid until it has verified the server's Finished message."

This bug affects the case illustrated in figure 2 of RFC 5077, "Message Flow for Abbreviated Handshake Using New Session Ticket," where a NewSessionTicket message is sent during a session resumption, replacing the session ticket for a session already stored in the cache. That session may already be in use by other connections.

It appear there are race conditions (TOCTOU, potentially use-after-free) to lack of locking around reads and updates of the sessionTicket field of sslSessionIDStr. For example, these races can happen when thread A is trying to resume a session concurrently with thread B that has already started resuming session that same session, and where thread B has received a NewSessionTicket extension that will cause it to update the sessionTicket field of the sid that thread A is trying to read. This may cause a use-after-free when ssl3_SetSIDSessionTicket calls SECITEM_FreeItem to free the session ticket data when ssl3_SendSessionTicketXtn is trying to read it. There are probably other similar problems.


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Brian Smith as the original reporter of this issue.
Comment 1 Vincent Danen 2014-02-04 18:13:56 UTC 
External References:

http://www.mozilla.org/security/announce/2014/mfsa2014-12.html
Comment 4 Tomas Hoger 2014-02-05 09:14:25 UTC 
Upstream advisory MFSA 2014-12 (see comment 1) links the following upstream bug as related to this CVE:

https://bugzilla.mozilla.org/show_bug.cgi?id=930874

Upstream bug is currently private, however, the following nss upstream commit references the above upstream bug:

http://hg.mozilla.org/projects/nss/rev/f6047eb1d0b8
Comment 5 Huzaifa S. Sidhpurwala 2014-03-10 09:18:33 UTC 
The upstream bug mentioned in comment #4 is public now.

This issue has been resolved in nss-3.15.4.

Fedora 19 and Fedora 20 currently ship nss-3.15.5 and therefore is not vulnerable to this issue.
Comment 6 Huzaifa S. Sidhpurwala 2014-03-10 09:23:49 UTC 
Statement:

(none)
Comment 11 errata-xmlrpc 2014-07-22 18:00:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0917 https://rhn.redhat.com/errata/RHSA-2014-0917.html
Comment 12 Martin Prpič 2014-07-28 11:37:04 UTC 
IssueDescription:

A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application.
Comment 14 errata-xmlrpc 2014-09-16 05:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1246 https://rhn.redhat.com/errata/RHSA-2014-1246.html