Bug 1622089 – CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1622089 - (CVE-2018-12384) CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello

Summary:	CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compat...

Status:	NEW

Aliases:	CVE-2018-12384

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180903,repor...
Keywords:	Security

Depends On:	1622094 1624703 1622093 1623245 1624704
Blocks:	1616615
	Show dependency tree / graph

Reported:	2018-08-24 08:33 EDT by Huzaifa S. Sidhpurwala
Modified:	2018-10-09 11:50 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	nss 3.36.5, nss 3.39
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2768	None	None	None	2018-09-25 15:07 EDT
Red Hat Product Errata	RHSA-2018:2898	None	None	None	2018-10-09 11:50 EDT

Groups: None (edit)

Description Huzaifa S. Sidhpurwala 2018-08-24 08:33:29 EDT

A flaw was found with NSS library when compiled with a server application. A man-in-the-middle attacker could use this flaw in a passive replay attack.

The most severe issue for confidentiality is for stream ciphers (and AES-GCM), as the server may encrypt different data with the exact same key stream and idempotency, the server may perform same action multiple times without proper authentication

Comment 10 Huzaifa S. Sidhpurwala 2018-09-03 02:25:13 EDT

External References:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes

Comment 11 Huzaifa S. Sidhpurwala 2018-09-03 02:26:07 EDT

Created nss tracking bugs for this issue:

Affects: fedora-all [bug 1624704]

Comment 13 Huzaifa S. Sidhpurwala 2018-09-03 02:31:15 EDT

Acknowledgments:

Name: the Mozilla project

Comment 14 Tomas Hoger 2018-09-21 15:18:50 EDT

Upstream bug (currently non-public):

https://bugzilla.mozilla.org/show_bug.cgi?id=1483128

Upstream fix in 3.36 branch (including test):

https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d
https://hg.mozilla.org/projects/nss/rev/f182a11fbe53

It seems a different fix was used in 3.39 that disables processing of SSLv2 compatible Client Hellos:

https://hg.mozilla.org/projects/nss/rev/2ed9f6afd84e

Comment 15 Hubert Kario 2018-09-24 11:21:37 EDT

> It seems a different fix was used in 3.39 that disables processing of SSLv2 compatible Client Hellos


yes, but NSS packages distributed in Red Hat Enterprise Linux fix the issue, not disable support for SSLv2 compatible Client Hellos

Comment 16 Tomas Hoger 2018-09-25 05:16:18 EDT

Right.  The nss packages currently in Red Hat Enterprise Linux are based on upstream 3.36.  I assume we will eventually update to 3.39 or newer, so I assume we have to consider how we're going to deal with this at that time.

Comment 17 Hubert Kario 2018-09-25 06:50:57 EDT

Support for SSLv2 Client Hello protocol is technically part of API/ABI compatibility so it needs to remain in Red Hat Enterprise Linux 6 and 7.

Comment 19 Daiki Ueno 2018-09-25 06:58:14 EDT

(In reply to Tomas Hoger from comment #14)

> It seems a different fix was used in 3.39 that disables processing of SSLv2
> compatible Client Hellos:

To be clear, the fixes are actually identical in 3.36 and 3.39.  The only difference is that the latter fix was obfuscated as part of a large change:
https://hg.mozilla.org/projects/nss/rev/ee357b00f2e6#l8.272

Comment 20 Tomas Hoger 2018-09-25 08:52:01 EDT

Thank you for the correction Daiki, I had previously failed to find the matching change in 3.39.

Comment 21 errata-xmlrpc 2018-09-25 15:07:32 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2768 https://access.redhat.com/errata/RHSA-2018:2768

Comment 22 errata-xmlrpc 2018-10-09 11:50:11 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2898 https://access.redhat.com/errata/RHSA-2018:2898

Note You need to log in before you can comment on or make changes to this bug.