CVE-2017-7805

nss: Potential use-after-free in TLS 1.2 server when verifying client authentication

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.

Durante los intercambios TLS 1.2, los hashes de los handshakes se generan apuntando a un búfer de mensaje. Estos datos guardados se utilizan para futuros mensajes pero, en determinados casos, la transcripción del handshake puede exceder el espacio disponible en el búfer actual, provocando la asignación de un nuevo búfer. Esto deja al puntero apuntando al búfer antiguo liberado, resultando en una condición de uso de memoria previamente liberada cuando los hashes del handshake se calculan posteriormente. Esto puede resultar en un cierre inesperado explotable. Esta vulnerabilidad afecta a las versiones anteriores a la 56 de Firefox, las versiones anteriores a la 52.4 de Firefox ESR y las versiones anteriores a la 52.4 de Thunderbird.

A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application.

USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash plugin to crash in some circumstances. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, obtain sensitive information, bypass phishing and malware protection, spoof the origin in modal dialogs, conduct cross-site scripting attacks, cause a denial of service via application crash, or execute arbitrary code. Martin Thomson discovered that NSS incorrectly generated handshake hashes. A remote attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. Multiple security issues were discovered in WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to download and open non-executable files without interaction, or obtain elevated privileges. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-12 CVE Reserved
2017-09-29 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (15)

URL	Tag	Source
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	X_refsource_confirm
http://www.securityfocus.com/bid/101059	Third Party Advisory
http://www.securitytracker.com/id/1039465	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/11/msg00000.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:2832	2018-10-17
https://bugzilla.mozilla.org/show_bug.cgi?id=1377618	2018-10-17
https://security.gentoo.org/glsa/201803-14	2018-10-17
https://www.debian.org/security/2017/dsa-3987	2018-10-17
https://www.debian.org/security/2017/dsa-3998	2018-10-17
https://www.debian.org/security/2017/dsa-4014	2018-10-17
https://www.mozilla.org/security/advisories/mfsa2017-21	2018-10-17
https://www.mozilla.org/security/advisories/mfsa2017-22	2018-10-17
https://www.mozilla.org/security/advisories/mfsa2017-23	2018-10-17
https://access.redhat.com/security/cve/CVE-2017-7805	2017-09-28
https://bugzilla.redhat.com/show_bug.cgi?id=1471171	2017-09-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				56.0 Search vendor "Mozilla" for product "Firefox" and version "56.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				52.4.0 Search vendor "Mozilla" for product "Firefox Esr" and version "52.4.0"		-		Affected
Mozilla Search vendor "Mozilla"		Thunderbird Search vendor "Mozilla" for product "Thunderbird"				52.4.0 Search vendor "Mozilla" for product "Thunderbird" and version "52.4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected