Main Vulnerability Database Vulnerabilities #VU28522

Race condition in Mozilla NSS - CVE-2020-12399

Published: June 2, 2020 / Updated: July 15, 2020

Vulnerability identifier: #VU28522

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-12399

CWE-ID: CWE-362

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Mozilla NSS

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to time differences in Mozilla NSS library during the process of generating a DSA signature, the nonce value 'k' is not padded, exposing the bit length. Combined with other techniques, this can result in the recovery of the DSA private key.

How to mitigate CVE-2020-12399

Install updates from vendor's website.

Sources

https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/
https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
https://bugzilla.redhat.com/show_bug.cgi?id=1826177

Race condition in Mozilla NSS - CVE-2020-12399

Detailed vulnerability description

How to mitigate CVE-2020-12399

Sources

Please verify you're human