CVE-2015-2721

NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71)

Severity Score

5.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.

Mozilla Network Security Services (NSS) anterior a 3.19, utilizado en Mozilla Firefox anterior a 39.0, Firefox ESR 31.x anterior a 31.8 y 38.x anterior a 38.1, Thunderbird anterior a 38.1, y otros productos, no determina correctamente las transiciones de estado para la máquina de estados TLS, lo que permite a atacantes man-in-the-middle derrotar los mecanismos de protección criptográfica mediante el bloqueo de mensajes, tal y como fue demostrado mediante la eliminación de una propiedad de confidencialidad adelantada mediante el bloqueo de un mensaje ServerKeyExchange, también conocido como un problema de 'SMACK SKIP-TLS' .

It was found that NSS permitted skipping of the ServerKeyExchange packet during a handshake involving ECDHE (Elliptic Curve Diffie-Hellman key Exchange). A remote attacker could use this flaw to bypass the forward-secrecy of a TLS/SSL connection.

USN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and later releases. This update provides the corresponding update for Ubuntu 12.04 LTS. Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. Looben Yan discovered 2 use-after-free issues when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-03-25 CVE Reserved
2015-07-06 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-310: Cryptographic Issues
CWE-358: Improperly Implemented Security Check for Standard

CAPEC

References (31)

URL	Tag	Source
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Third Party Advisory
http://www.securityfocus.com/bid/75541	Vdb Entry
http://www.securityfocus.com/bid/83398	Vdb Entry
http://www.securityfocus.com/bid/91787	Third Party Advisory
http://www.securitytracker.com/id/1032783	Vdb Entry
http://www.securitytracker.com/id/1032784	Vdb Entry
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes	Release Notes
https://smacktls.com	Technical Description

URL	Date	SRC
https://bugzilla.mozilla.org/show_bug.cgi?id=1086145	2024-08-06

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00025.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.html	2023-09-12
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html	2023-09-12
http://rhn.redhat.com/errata/RHSA-2015-1185.html	2023-09-12
http://rhn.redhat.com/errata/RHSA-2015-1664.html	2023-09-12
http://www.debian.org/security/2015/dsa-3324	2023-09-12
http://www.debian.org/security/2015/dsa-3336	2023-09-12
http://www.mozilla.org/security/announce/2015/mfsa2015-71.html	2023-09-12
http://www.ubuntu.com/usn/USN-2656-1	2023-09-12
http://www.ubuntu.com/usn/USN-2656-2	2023-09-12
http://www.ubuntu.com/usn/USN-2672-1	2023-09-12
http://www.ubuntu.com/usn/USN-2673-1	2023-09-12
https://security.gentoo.org/glsa/201512-10	2023-09-12
https://security.gentoo.org/glsa/201701-46	2023-09-12
https://access.redhat.com/security/cve/CVE-2015-2721	2015-08-24
https://bugzilla.redhat.com/show_bug.cgi?id=1236967	2015-08-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Search vendor "Mozilla" for product "Firefox"	<= 38.1.0 Search vendor "Mozilla" for product "Firefox" and version " <= 38.1.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.1 Search vendor "Mozilla" for product "Firefox Esr" and version "31.1"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.1.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.1.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.1.1 Search vendor "Mozilla" for product "Firefox Esr" and version "31.1.1"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.2 Search vendor "Mozilla" for product "Firefox Esr" and version "31.2"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.3 Search vendor "Mozilla" for product "Firefox Esr" and version "31.3"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.3.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.3.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.4 Search vendor "Mozilla" for product "Firefox Esr" and version "31.4"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.5 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.5.1 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5.1"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.5.2 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5.2"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.5.3 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5.3"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.6.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.6.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	31.7.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.7.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"	38.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.0"	-	Safe
Mozilla Search vendor "Mozilla"	Network Security Services Search vendor "Mozilla" for product "Network Security Services"	3.19 Search vendor "Mozilla" for product "Network Security Services" and version "3.19"	-	Affected	in	Mozilla Search vendor "Mozilla"	Thunderbird Search vendor "Mozilla" for product "Thunderbird"	<= 38.0.1 Search vendor "Mozilla" for product "Thunderbird" and version " <= 38.0.1"	-	Safe
Novell Search vendor "Novell"		Suse Linux Enterprise Software Development Kit Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Software Development Kit" and version "12.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				15.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.04"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Desktop Search vendor "Novell" for product "Suse Linux Enterprise Desktop"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Desktop" and version "12.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Server Search vendor "Novell" for product "Suse Linux Enterprise Server"				11 Search vendor "Novell" for product "Suse Linux Enterprise Server" and version "11"		sp4		Affected
Novell Search vendor "Novell"		Suse Linux Enterprise Server Search vendor "Novell" for product "Suse Linux Enterprise Server"				12.0 Search vendor "Novell" for product "Suse Linux Enterprise Server" and version "12.0"		-		Affected
Oracle Search vendor "Oracle"		Solaris Search vendor "Oracle" for product "Solaris"				11.3 Search vendor "Oracle" for product "Solaris" and version "11.3"		-		Affected
Oracle Search vendor "Oracle"		Vm Server Search vendor "Oracle" for product "Vm Server"				3.2 Search vendor "Oracle" for product "Vm Server" and version "3.2"		-		Affected