You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



Network Security Services (NSS) SSL v2 Buffer Overflow

Overview

In August 2004 Internet Security Systems, Inc. (ISS) reported buffer overflow vulnerabilities in all known releases of the Network Security Services (NSS) library suite. The impact of these vulnerabilities could potentially allow an attacker to execute malicious code or a denial of service attack against server products or services that use vulnerable versions of the NSS library suite.

Affected Products and Applications

  • Network Security Services (NSS) Library - All known versions
  • Netscape - Enterprise Server (NES) - All known versions
  • Netscape - Directory Server (NDS) - All known versions
  • Netscape - Certificate Management System (CMS) - All known versions
  • Sun - Sun ONE/iPlanet - All known versions
  • Any application or product that integrates the NSS library suite and uses SSL v2 cipher suites as an SSL server

Solutions

This issue can be addressed by upgrading to the version 3.9.2 of the Network Security Services library suite. Please note that products or applications that statically link to a vulnerable version of NSS may need to be recompiled to resolve the vulnerability. NSS version 3.9.2 can be downloaded from ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM.

If upgrading the NSS library is not possible, disabling the SSL v2 protocol and all SSL v2 cipher suites effectively mitigates these vulnerabilities. Please note that simply disabling SSL v2 may not fully protect against attack in some server products. Disabling SSL v2 and all SSL v2 cipher suites performs this mitigation. Links to instructions for disabling SSL v2 and all the SSL v2 cipher suites for some affected products are provided below.

Acknowledgments: Thanks to Mark Dowd and Internet Security Systems, Inc. for their assistance in addressing this issue.