CVE-2013-1740
nss: false start PR_Recv information disclosure security issue
Severity Score
Exploit Likelihood
Affected Versions
47Public Exploits
1Exploited in Wild
-Decision
Descriptions
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
La función ssl_Do1stHandshake en sslsecur.c en libssl de Mozilla Network Security Services (NSS) anteriores a 3.15.4, cuando la funcionalidad TLS False Start está habilitada, permite a atacantes man-in-the-middle falsear servidores SSL utilizando un certificado X.509 arbitrario durante cierto tráfico de handshake.
A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server.
Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application. A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-02-13 CVE Reserved
- 2014-01-18 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-310: Cryptographic Issues
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2014/Dec/23 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/cpujan2015-197... | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/cpujan2016-236... | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/cpujul2014-197... | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/cpuoct2014-197... | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/ovmbulletinjul... | X_refsource_confirm |
|
| http://www.securityfocus.com/archive/1/534161/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/64944 | Vdb Entry | |
| http://www.vmware.com/security/advisories/VMSA-2014-0012.html | X_refsource_confirm | |
| https://bugs.gentoo.org/show_bug.cgi?id=498172 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2014-... | 2018-10-09 | |
| http://lists.opensuse.org/opensuse-security-announce/2014-... | 2018-10-09 | |
| http://www.ubuntu.com/usn/USN-2088-1 | 2018-10-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1053725 | 2014-09-16 | |
| https://access.redhat.com/security/cve/CVE-2013-1740 | 2014-09-16 |