CVE-2017-7502
nss: Null pointer dereference when handling empty SSLv2 messages
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
Se ha encontrado una vulnerabilidad de desreferencia de puntero NULL en NSS desde la versión 3.24.0 en la que el servidor recibe mensajes SSLv2 vacíos, lo que da lugar a una denegación de servicio (DoS) por parte de atacantes remotos.
A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library.
It was discovered that NSS incorrectly handled certain empty SSLv2 messages. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update causes NSS to limit use of the same symmetric key. Various other issues were also addressed.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-04-05 CVE Reserved
- 2017-05-30 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/98744 | Third Party Advisory | |
| http://www.securitytracker.com/id/1038579 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://hg.mozilla.org/projects/nss/rev/55ea60effd0d | 2023-02-12 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2017/dsa-3872 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:1364 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:1365 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:1567 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:1712 | 2023-02-12 | |
| https://access.redhat.com/security/cve/CVE-2017-7502 | 2017-06-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1446631 | 2017-06-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.24.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.24.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.25.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.25.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.25.1 Search vendor "Mozilla" for product "Network Security Services" and version "3.25.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.26.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.26.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.26.2 Search vendor "Mozilla" for product "Network Security Services" and version "3.26.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.27.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.27.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.27.1 Search vendor "Mozilla" for product "Network Security Services" and version "3.27.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.27.2 Search vendor "Mozilla" for product "Network Security Services" and version "3.27.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.28.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.28.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.28.1 Search vendor "Mozilla" for product "Network Security Services" and version "3.28.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.28.2 Search vendor "Mozilla" for product "Network Security Services" and version "3.28.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.28.3 Search vendor "Mozilla" for product "Network Security Services" and version "3.28.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.29.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.29.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.29.1 Search vendor "Mozilla" for product "Network Security Services" and version "3.29.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.29.2 Search vendor "Mozilla" for product "Network Security Services" and version "3.29.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.29.3 Search vendor "Mozilla" for product "Network Security Services" and version "3.29.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.30.0 Search vendor "Mozilla" for product "Network Security Services" and version "3.30.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.30.1 Search vendor "Mozilla" for product "Network Security Services" and version "3.30.1" | - |
Affected
| ||||||