Home MyISS Downloads Contact Us Investor Relations
 
Logo: Internet Security Systems
ADDITIONAL LINKS
 Alerts and Advisories Home
 Alerts
 Advisories
 X-Force Threat Analysis Service
 X-Force Disclosure Guidelines
 Industry Feedback
 

Home > Research > Alerts & Advisories > Advisories

Advisories

Internet Security Systems Protection Advisory
August 23, 2004

Netscape NSS Library Remote Compromise

Summary:

A vulnerability exists in the Netscape Network Security Services (NSS)
library suite which may result in remote compromise of products making
use of this library for Secure Sockets Layer (SSL) communication.
Netscape Enterprise Server and Sun One are widely used commercial web
server platforms which make use of the NSS library. There is a security
flaw in the NSS library that can result in arbitrary code execution on
vulnerable systems during SSLv2 connection negotiation. 

ISS Protection Strategy:

ISS has provided preemptive protection for these vulnerabilities. We
recommend that all customers apply applicable ISS product updates. 

Network Sensor 7.0, Proventia A and G:
 XPU 22.25 / June 22, 2004
 SSL_Challenge_Length_Overflow

Proventia M:
 XPU 1.23 / June 22, 2004
 SSL_Challenge_Length_Overflow

Internet Scanner 7.0:
 XPU 7.35/ August 25, 2004
 SSLv2-Client-Hello-Overflow

These updates are available from the ISS Download Center at:

http://www.iss.net/download.


Business Impact:

If the SSLv2 protocol is enabled on vulnerable servers, a remote
unauthenticated attacker may trigger a buffer overflow condition and
execute arbitrary code. This has the potential to result in complete
compromise of the target server, and exposure of any information held
therein. In addition, SSL is often used to secure sensitive or
valuable communications, making this a high-value target for attackers.

Affected Products:

Netscape Network Security Services (NSS) Library - All known versions

The NSS library is used by the following products to provide SSL
functionality:

Netscape - Enterprise Server (NES) - All known versions
Netscape - Personalization Engine (NPE) - All known versions
Netscape - Directory Server (NDS) - All known versions
Netscape - Certificate Management Server (CMS) - All known versions
Sun  - Sun One/iPlanet - All known versions
Any application or product that integrates the NSS library suite and
which implements SSLv2 ciphers

Description:

The NSS library is predominantly used by Netscape Enterprise Server
(NES) and Sun One / Sun Java System Web Server. These web platforms
are widely used in high-traffic environments to serve web content.
Secure Sockets Layer is an industry-standard method for encrypting
sensitive traffic, and is used widely to secure sensitive web
communications.

The NSS library is a shared component used by many different
products,and is publicly available as an open-source component
from the Mozilla Foundation. Although Netscape Enterprise Server
and Sun One are the most likely targets for attack, due to the
open-source nature of the component there may be additional
affected products that are not listed above.

The NSS library contains a flaw in SSLv2 record parsing that may
lead to remote compromise. When parsing the first record in an SSLv2
negotiation, the client hello message, the server fails to validate
the length of a record field. As a result, it is possible for an
attacker to trigger a heap-based overflow of arbitrary length. The
SSLv2 protocol is disabled by default in Netscape Enterprise Server
and Sun One, however it is believed to be common practice to enable
this protocol and a significant percentage of the install base is
likely affected. Successful exploitation of this vulnerability will
grant an attacker the privilege level at which the web server was
executing. On Windows platforms, this will likely be full system
privileges, while on other platforms this may be restricted to a
non-root account.

Additional Recommendations:

For manual protection, a vendor-supplied update for the NSS library
is available for download from the Mozilla ftp site:

ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM

In addition, it is possible to mitigate risk associated with this
vulnerability by disabling SSLv2 and all associated SSLv2 ciphers:

For Netscape Enterprise, to disable SSL 2 via the admin server: 

1. Log into admin 
2. Select the instance you want (or stay in and configure the admin
   server) 
3. Select the Preferences tab 
4. For the listen socket that has SSL enabled, select Attributes 
5. Under Ciphers select SSL2 
6. Uncheck "SSL version 2". One may also disable all of the SSL 2
   ciphers here. 
7. Click Ok, then Quit to get rid of the window 
8. Click Apply in upper-right of browser 
9. Click Apply Changes and restart the server 
10. Enter your SSL password when prompted

Additional Information:

Workaround information for product suites other than Netscape
Enterprise Server is available from the appropriate vendor advisory.

Credit:
The vulnerability associated with this Protection Advisory was
discovered by Mark Dowd of ISS X-Force.

______

Internet Security Systems, Inc. (ISS) is the trusted expert to global
enterprises and world governments, providing products and services
that protect against Internet threats. An established world leader
in security since 1994, ISS delivers proven cost efficiencies and
reduces regulatory and business risk across the enterprise for
more than 11,000 customers worldwide. ISS products and services
are based on the proactive security intelligence conducted by ISS¿
X-Force¿ research and development team ¿ the unequivocal world
authority in vulnerability and threat research. Headquartered
in Atlanta, Internet Security Systems has additional operations
throughout the Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2004 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email

xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws. 

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard
to this information or its use. Any use of this information is at
the user's risk. In no event shall the author/distributor (Internet
Security Systems X-Force) be held liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: 

xforce@iss.net of Internet Security Systems, Inc.


©2005, Internet Security Systems, Inc. All rights reserved worldwide. Copyright Info Privacy Terms of Use Site Map