Network Security Services (NSS) SSL v2 Buffer Overflow
Overview
In August 2004 Internet Security Systems, Inc. (ISS) reported buffer overflow vulnerabilities in all known releases of the Network Security Services (NSS) library suite. The impact of these vulnerabilities could potentially allow an attacker to execute malicious code or a denial of service attack against server products or services that use vulnerable versions of the NSS library suite.
Affected Products and Applications
- Network Security Services (NSS) Library - All known versions
- Netscape - Enterprise Server (NES) - All known versions
- Netscape - Directory Server (NDS) - All known versions
- Netscape - Certificate Management System (CMS) - All known versions
- Sun - Sun ONE/iPlanet - All known versions
- Any application or product that integrates the NSS library suite and uses SSL v2 cipher suites as an SSL server
Solutions
This issue can be addressed by upgrading to the version 3.9.2 of the Network Security Services library suite. Please note that products or applications that statically link to a vulnerable version of NSS may need to be recompiled to resolve the vulnerability. NSS version 3.9.2 can be downloaded from ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM.
If upgrading the NSS library is not possible, disabling the SSL v2 protocol and all SSL v2 cipher suites effectively mitigates these vulnerabilities. Please note that simply disabling SSL v2 may not fully protect against attack in some server products. Disabling SSL v2 and all SSL v2 cipher suites performs this mitigation. Links to instructions for disabling SSL v2 and all the SSL v2 cipher suites for some affected products are provided below.
Acknowledgments: Thanks to Mark Dowd and Internet Security Systems, Inc. for their assistance in addressing this issue.