Algorithm Downgrade in Mozilla Firefox

#VU24061 Algorithm Downgrade in Mozilla Firefox

Published: 2020-01-07 | Updated: 2020-01-08

Vulnerability identifier: #VU24061

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17023

CWE-ID: CWE-757

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insecure negotiation After a HelloRetryRequest in Mozilla NSS that can lead to selection of a less secure protocol (e.g. TLS 1.2 or below) after the HelloRetryRequest TLS 1.3 is sent.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 65.0 - 71.0

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-01/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Amazon Linux AMI update for nspr, nss-softokn, nss-util

CentOS 7 update for nss

Multiple vulnerabilities in Red Hat Ansible Automation Platform 1.2

Red Hat Enterprise Linux 7 update for nss and nspr

Red Hat Enterprise Linux 8 update for nss and nspr

Debian update for nss

Ubuntu update for Firefox

Algorithm Downgrade in firefox (Alpine package)

Arch Linux update for firefox