PRNG Seed Error

Affecting nss package, versions <2:3.39-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

References

CVSS Score

5.9
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE
CVE-2018-12384
CWE
CWE-335
Snyk ID
SNYK-DEBIAN10-NSS-421426
Disclosed
29 Apr, 2019
Published
25 Sep, 2018