Guest

Preview Tool

Cisco Bug: CSCuq15944 - NSS security Updates

Last Modified

Jun 09, 2016

Products (1)

  • Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

1.1(3.100) 1.1(4.100) 1.2(1.199) 1.3(0.718)

Description (partial)

Symptoms:
Cisco Identity Services Engine (ISE) 3300 Series Appliances includes a version of Nestcape Secure Service
(NSS) that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures
(CVE) IDs:

CVE-2013-1740: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services
(NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof
SSL servers by using an arbitrary X.509 certificate during certain handshake traffic. This has been classified
by the vendor as having a CVSSv2 score of 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)

CVE-2014-1490: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in
Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and
other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have
unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a
session ticket. This has been classified by the vendor as having a CVSSv2 score of 5.0
(AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE-2014-1491: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0,
Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not
properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to
bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value. This has
been classified by the vendor as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:N/I:P/A:N)

CVE-2014-1492: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking
implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is
embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof
SSL servers via a crafted certificate. This has been classified by the vendor as having a CVSSv2 score of 4.3
(AV:N/AC:M/AU:N/C:N/I:P/A:N)

CVE-2014-1544: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla
Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and
Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain
improper removal of an NSSCertificate structure from a trust domain. This has been classified by the vendor as
having a CVSSv2 score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

This bug was opened to address the potential impact on this product.

Conditions:
Device with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.