CVE-2017-7805
published 2018-06-11CVE-2017-7805: During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
3.15%
86.4th percentile
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 56.0-1 (sid) | firefox 56.0-1 (sid) |
| debian | firefox-esr | < firefox 56.0-1 (sid) | firefox 56.0-1 (sid) |
| debian | nss | < firefox 56.0-1 (sid) | firefox 56.0-1 (sid) |
| debian | thunderbird | < firefox 56.0-1 (sid) | firefox 56.0-1 (sid) |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.14.04.1 | 56.0+build6-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.14.04.2 | 56.0+build6-0ubuntu0.14.04.2 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.16.04.1 | 56.0+build6-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.16.04.2 | 56.0+build6-0ubuntu0.16.04.2 |
| mozilla | firefox | >= unspecified < 56 | 56 |
| mozilla | firefox_esr | >= unspecified < 52.4 | 52.4 |
| mozilla | nss | >= 0 < 2:3.33-1 | 2:3.33-1 |
| mozilla | nss | >= 0 < 2:3.33-1 | 2:3.33-1 |
| mozilla | nss | >= 0 < 2:3.33-1 | 2:3.33-1 |
| mozilla | nss | >= 0 < 2:3.33-1 | 2:3.33-1 |
| mozilla | thunderbird | — | — |
| mozilla | thunderbird | >= 0 < 1:52.4.0-1 | 1:52.4.0-1 |
| mozilla | thunderbird | >= 0 < 1:52.4.0-1 | 1:52.4.0-1 |
| mozilla | thunderbird | >= 0 < 1:52.4.0-1 | 1:52.4.0-1 |
| mozilla | thunderbird | >= 0 < 1:52.4.0-1 | 1:52.4.0-1 |
| mozilla | thunderbird | >= 0 < 1:52.4.0+build1-0ubuntu0.14.04.2 | 1:52.4.0+build1-0ubuntu0.14.04.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-595h-pjc7-9xf6: During TLS 1
ghsa_unreviewed·2022-05-14
CVE-2017-7805 [HIGH] CWE-416 GHSA-595h-pjc7-9xf6: During TLS 1
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
OSV
CVE-2017-7805: During TLS 1
osv·2018-06-11·CVSS 7.5
CVE-2017-7805 [HIGH] CVE-2017-7805: During TLS 1
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
OSV
thunderbird vulnerabilities
osv·2017-10-11·CVSS 9.8
CVE-2017-7793 [CRITICAL] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing-like
context, an attacker could potentially exploit these to read uninitialized
memory, bypass phishing and malware protection, conduct cross-site
scripting (XSS) attacks, cause a denial of service via application crash,
or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-7805)
OSV
firefox regression
osv·2017-10-04·CVSS 9.8
[CRITICAL] firefox regression
firefox regression
USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash
plugin to crash in some circumstances. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CV
OSV
firefox vulnerabilities
osv·2017-10-02·CVSS 9.8
CVE-2017-7793 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via app
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2017-10-11·CVSS 9.8
CVE-2017-7793 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing-like
context, an attacker could potentially exploit these to read uninitialized
memory, bypass phishing and malware protection, conduct cross-site
scripting (XSS) attacks, cause a denial of service via application crash,
or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017
Ubuntu
Firefox regression
vendor_ubuntu·2017-10-04·CVSS 9.8
[CRITICAL] Firefox regression
Title: Firefox regression
Summary: USN-3435-1 caused a regression in Firefox.
USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash
plugin to crash in some circumstances. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CV
Ubuntu
NSS vulnerability
vendor_ubuntu·2017-10-02
CVE-2017-7805 NSS vulnerability
Title: NSS vulnerability
Summary: NSS could be made to crash or run programs if it received specially crafted
network traffic.
Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could use this issue to cause NSS to crash, resulting in
a denial of service, or possibly execute arbitrary code.
Instructions: After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2017-10-02·CVSS 9.8
CVE-2017-7793 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly g
Red Hat
nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
vendor_redhat·2017-09-28·CVSS 7.5
CVE-2017-7805 [HIGH] CWE-416 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to caus
Debian
CVE-2017-7805: firefox - During TLS 1.2 exchanges, handshake hashes are generated which point to a messag...
vendor_debian·2017·CVSS 7.5
CVE-2017-7805 [HIGH] CVE-2017-7805: firefox - During TLS 1.2 exchanges, handshake hashes are generated which point to a messag...
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
Scope: local
sid: resolved (fixed in 56.0-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication [fedora-all]
bugzilla·2017-09-28·CVSS 7.5
CVE-2017-7805 [HIGH] CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication [fedora-all]
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
Bugzilla
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
bugzilla·2017-07-14·CVSS 7.5
CVE-2017-7805 [HIGH] CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
Potential use-after-free vulnerability in nss in TLS 1.2 server when verifying client authentication was found.
Upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Martin Thomson
---
Upstream commit:
https://hg.mozilla.org/projects/nss/rev/839200ce0943166a079284bdf45dcc37bb672925
---
Public now via upstream advisories:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/
---
Created nss tracking bugs for this issue:
Affects: fedora-all [bug 1496926]
---
This issue has been addressed in the following products:
Red Hat Enterpr
Bugzilla
Potential UAF in TLS 1.2 server when verifying client authentication
bugzilla·2017-07-01
[MEDIUM] Potential UAF in TLS 1.2 server when verifying client authentication
Potential UAF in TLS 1.2 server when verifying client authentication
Created attachment 8882762
use length only, not a pointer
This is a regression caused by Bug 1179338, but I only noticed it when I made some changes to the sslBuffer functions.
In TLS 1.2, handshake hashes are calculated at the time they are needed. The handshake hashes are tweaked to include a pointer to the message buffer in the field pointer_to_hash_input:
https://searchfox.org/nss/rev/b5e2bb64574eefa20a9143d908bd4e09a125070e/lib/ssl/ssl3con.c#11668
This is necessary because the hashes need to cover the previous handshake message, but not the current message. Later in the same function, the saved transcript is updated with the current message. ssl3_UpdateHandshakeHashes() is called to add the current handshake mes
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/101059http://www.securitytracker.com/id/1039465https://access.redhat.com/errata/RHSA-2017:2832https://bugzilla.mozilla.org/show_bug.cgi?id=1377618https://lists.debian.org/debian-lts-announce/2017/11/msg00000.htmlhttps://security.gentoo.org/glsa/201803-14https://www.debian.org/security/2017/dsa-3987https://www.debian.org/security/2017/dsa-3998https://www.debian.org/security/2017/dsa-4014https://www.mozilla.org/security/advisories/mfsa2017-21/https://www.mozilla.org/security/advisories/mfsa2017-22/https://www.mozilla.org/security/advisories/mfsa2017-23/http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/101059http://www.securitytracker.com/id/1039465https://access.redhat.com/errata/RHSA-2017:2832https://bugzilla.mozilla.org/show_bug.cgi?id=1377618https://lists.debian.org/debian-lts-announce/2017/11/msg00000.htmlhttps://security.gentoo.org/glsa/201803-14https://www.debian.org/security/2017/dsa-3987https://www.debian.org/security/2017/dsa-3998https://www.debian.org/security/2017/dsa-4014https://www.mozilla.org/security/advisories/mfsa2017-21/https://www.mozilla.org/security/advisories/mfsa2017-22/https://www.mozilla.org/security/advisories/mfsa2017-23/
2018-06-11
Published