Bug 1060953 (CVE-2014-1490) - CVE-2014-1490 nss: TOCTOU, potential use-after-free in libssl's session ticket processing (MFSA 2014-12)
Summary: CVE-2014-1490 nss: TOCTOU, potential use-after-free in libssl's session ticke...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-1490
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1101846 1113849 1113853
Blocks: 1054104 1063682
TreeView+ depends on / blocked
 
Reported: 2014-02-04 02:19 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 13:13 UTC (History)
5 users (show)

Fixed In Version: nss 3.15.4
Doc Type: Bug Fix
Doc Text:
A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application.
Clone Of:
Environment:
Last Closed: 2014-09-18 03:04:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0917 normal SHIPPED_LIVE Critical: nss and nspr security, bug fix, and enhancement update 2014-07-22 21:59:48 UTC
Red Hat Product Errata RHSA-2014:1246 normal SHIPPED_LIVE Moderate: nss and nspr security, bug fix, and enhancement update 2014-09-16 09:39:01 UTC

Description Huzaifa S. Sidhpurwala 2014-02-04 02:19:43 UTC
As per: http://tools.ietf.org/html/rfc5077#section-3.3:

"The client MUST NOT treat the ticket as valid until it has verified the server's Finished message."

This bug affects the case illustrated in figure 2 of RFC 5077, "Message Flow for Abbreviated Handshake Using New Session Ticket," where a NewSessionTicket message is sent during a session resumption, replacing the session ticket for a session already stored in the cache. That session may already be in use by other connections.

It appear there are race conditions (TOCTOU, potentially use-after-free) to lack of locking around reads and updates of the sessionTicket field of sslSessionIDStr. For example, these races can happen when thread A is trying to resume a session concurrently with thread B that has already started resuming session that same session, and where thread B has received a NewSessionTicket extension that will cause it to update the sessionTicket field of the sid that thread A is trying to read. This may cause a use-after-free when ssl3_SetSIDSessionTicket calls SECITEM_FreeItem to free the session ticket data when ssl3_SendSessionTicketXtn is trying to read it. There are probably other similar problems.


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Brian Smith as the original reporter of this issue.

Comment 1 Vincent Danen 2014-02-04 18:13:56 UTC
External References:

http://www.mozilla.org/security/announce/2014/mfsa2014-12.html

Comment 4 Tomas Hoger 2014-02-05 09:14:25 UTC
Upstream advisory MFSA 2014-12 (see comment 1) links the following upstream bug as related to this CVE:

https://bugzilla.mozilla.org/show_bug.cgi?id=930874

Upstream bug is currently private, however, the following nss upstream commit references the above upstream bug:

http://hg.mozilla.org/projects/nss/rev/f6047eb1d0b8

Comment 5 Huzaifa S. Sidhpurwala 2014-03-10 09:18:33 UTC
The upstream bug mentioned in comment #4 is public now.

This issue has been resolved in nss-3.15.4.

Fedora 19 and Fedora 20 currently ship nss-3.15.5 and therefore is not vulnerable to this issue.

Comment 6 Huzaifa S. Sidhpurwala 2014-03-10 09:23:49 UTC
Statement:

(none)

Comment 11 errata-xmlrpc 2014-07-22 18:00:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0917 https://rhn.redhat.com/errata/RHSA-2014-0917.html

Comment 12 Martin Prpič 2014-07-28 11:37:04 UTC
IssueDescription:

A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application.

Comment 14 errata-xmlrpc 2014-09-16 05:39:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1246 https://rhn.redhat.com/errata/RHSA-2014-1246.html


Note You need to log in before you can comment on or make changes to this bug.