Key Management Errors

Affecting nss package, versions <2:3.25-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Debian:10 relevant versions.

It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.

Remediation

Upgrade Debian:10 nss to version 2:3.25-1 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE
CVE-2016-8635
CWE
CWE-320 CWE-358
Snyk ID
SNYK-DEBIAN10-NSS-421269
Disclosed
01 Aug, 2018
Published
27 Jun, 2018