Improper input validation in Mozilla NSS - CVE-2016-9574
Published: July 23, 2018 / Updated: July 25, 2018
Vulnerability identifier: #VU13994
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-9574
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Mozilla NSS
Mozilla NSS
Detailed vulnerability description
The vulnerability allows a remote attacker to cause DoS condition on the target system..
The vulnerability exists in the Mozilla Network Security Services (NSS) library due to improper handling of session handshake packets when the affected software uses a SessionTicket extension and Elliptic Curve Diffie-Hellman Exchange-Elliptic Curve Digital Signature Algorithm (ECDHE-ECDSA) certificates. A remote attacker can send specially crafted packets that submit malicious input to an application on a targeted system that has been compiled with the vulnerable library and cause the server application to crash.
How to mitigate CVE-2016-9574
Update to version 3.30 or later.