Bug 1236967 (CVE-2015-2721) - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71)
Summary: CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-2721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact:
URL:
Whiteboard:
Depends On: 1247487
Blocks: 1236968
TreeView+ depends on / blocked
 
Reported: 2015-06-30 05:24 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 13:34 UTC (History)
8 users (show)

Fixed In Version: nss-3.19.1-1.el5_11
Doc Type: Bug Fix
Doc Text:
It was found that NSS permitted skipping of the ServerKeyExchange packet during a handshake involving ECDHE (Elliptic Curve Diffie-Hellman key Exchange). A remote attacker could use this flaw to bypass the forward-secrecy of a TLS/SSL connection.
Clone Of:
Environment:
Last Closed: 2015-09-01 07:54:02 UTC


Attachments (Terms of Use)
all changes required for rebasing to nss-3.19.1 (23.87 KB, patch)
2015-07-29 21:46 UTC, Elio Maldonado Batiz
no flags Details | Diff
spec file changes - in patch format (1.99 KB, patch)
2015-07-29 21:55 UTC, Elio Maldonado Batiz
emaldona: review-
Details | Diff
all changes for rebase (31.88 KB, patch)
2015-07-30 17:47 UTC, Elio Maldonado Batiz
rrelyea: review-
Details | Diff
nss.spec changes - in patch format (2.74 KB, patch)
2015-07-30 17:50 UTC, Elio Maldonado Batiz
rrelyea: review+
Details | Diff
Reverts upstream changes that bumped the minimum key sizes (2.47 KB, patch)
2015-07-31 18:35 UTC, Elio Maldonado Batiz
rrelyea: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1664 normal SHIPPED_LIVE Moderate: nss security, bug fix, and enhancement update 2015-08-24 19:38:26 UTC

Description Huzaifa S. Sidhpurwala 2015-06-30 05:24:59 UTC
Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where the client allows for a ECDHE_ECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDSA certificate. This violates the TLS protocol and also has some security implications for forward secrecy. In this situation, the browser thinks it is engaged in an ECDHE exchange, but has been silently downgraded to a non-forward secret mixed-ECDH exchange instead. As a result, if False Start is enabled, the browser will start sending data encrypted under these non-forward-secret connection keys. This issue was fixed in NSS version 3.19.1.


External Reference:

http://www.mozilla.org/security/announce/2015/mfsa2015-71.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Karthikeyan Bhargavan as the original reporter.

Comment 1 Huzaifa S. Sidhpurwala 2015-07-06 08:21:41 UTC
Upstream commits:

https://hg.mozilla.org/projects/nss/rev/6b4770c76bc8
Test case at: https://hg.mozilla.org/projects/nss/rev/1865635f5df5

This issue was fixed in NSS version 3.19.1.

Comment 2 Huzaifa S. Sidhpurwala 2015-07-14 05:29:26 UTC
This issue was fixed in Red Hat Enterprise Linux 6 and 7 via the following advisory:

https://rhn.redhat.com/errata/RHSA-2015-1185.html

Comment 3 Huzaifa S. Sidhpurwala 2015-07-14 05:45:44 UTC
Statement:

(none)

Comment 11 Elio Maldonado Batiz 2015-07-29 21:46:15 UTC
Created attachment 1057422 [details]
all changes required for rebasing to nss-3.19.1

For informational purpose ostly. To apply, in a convenient location do:
rhpkhg clone nss; cd nss; rhpkg switch-branch
patch -p1 < a-to/allchanges4rebase.patch
It's not easy on the eyes so I'll attach the nss.spec portion next.

Comment 12 Elio Maldonado Batiz 2015-07-29 21:55:12 UTC
Created attachment 1057423 [details]
spec file changes - in patch format

deleted: expired-cert.patch, nss-3.18.1-ca-2.3-to-2.4.patch, and     syntaxfix.patch which were rendered obsolete with the rebase.
modified: nss-revert-tls-version-defaults.patch on account of the rebase, same patch but was generated with gendiff, same as previously done on rhel 6 and.

Comment 13 Elio Maldonado Batiz 2015-07-30 13:30:05 UTC
Comment on attachment 1057423 [details]
spec file changes - in patch format

This patch is not yet complete as it missed picking up a post release fix to a 3.19.1 caused regression which is a main driver for this. Upstream bug is: https://bugzilla.mozilla.org/show_bug.cgi?id=1173413. Thanks to Bob for that and other reminders. Doing other checks for upstream changes to default behavior that need to be reversed.

Comment 14 Elio Maldonado Batiz 2015-07-30 17:47:12 UTC
Created attachment 1057769 [details]
all changes for rebase

Comment 15 Elio Maldonado Batiz 2015-07-30 17:50:04 UTC
Created attachment 1057770 [details]
nss.spec changes - in patch format

Extracted from the other patch, easier to read and review.

Comment 16 Bob Relyea 2015-07-31 18:02:23 UTC
Comment on attachment 1057769 [details]
all changes for rebase

r-

Please explain why the keep tls default patch changed from a -R (revert) to no -R as in the comment. Do you have a different keep tls defaults patch?

Also, include the min_key_sizes patch for review.

Comment 17 Elio Maldonado Batiz 2015-07-31 18:27:20 UTC
(In reply to Bob Relyea from comment #16)
> Comment on attachment 1057769 [details]
> all changes for rebase
> 
> r-
> 
> Please explain why the keep tls default patch changed from a -R (revert) to
> no -R as in the comment. Do you have a different keep tls defaults patch?
The reason is that originally it was excactly the same patch as the one upstream this we needed the -R (revert) to tell the tool the intention is to revert. The patch no longer applies due to code changes since then. This patch was manually generated using gendiff and -R. can't be used. This the same as change I had to for RHEl-6, actually I copied it from there. I should have added add a brief version of this explanation to the nss.spc.
> 
> Also, include the min_key_sizes patch for review.
Yes, coming next.

Comment 18 Elio Maldonado Batiz 2015-07-31 18:35:46 UTC
Created attachment 1058106 [details]
Reverts upstream changes that bumped the minimum key sizes

This patch reverts the upstream change but there I have meaning to ask you, should we instead change them but choose our minimum values values?

Comment 19 Bob Relyea 2015-07-31 20:35:01 UTC
Comment on attachment 1058106 [details]
Reverts upstream changes that bumped the minimum key sizes

r+

Comment 22 errata-xmlrpc 2015-08-24 15:39:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:1664 https://rhn.redhat.com/errata/RHSA-2015-1664.html


Note You need to log in before you can comment on or make changes to this bug.