Main Vulnerability Database SB2020060214

SB2020060214 - Timing attack in Mozilla NSS library

Published: June 2, 2020

Security Bulletin ID SB2020060214

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Race condition (CVE-ID: CVE-2020-12399)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to time differences in Mozilla NSS library during the process of generating a DSA signature, the nonce value 'k' is not padded, exposing the bit length. Combined with other techniques, this can result in the recovery of the DSA private key.

Remediation

Install update from vendor's website.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/
https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
https://bugzilla.redhat.com/show_bug.cgi?id=1826177