CVE-2018-12384

CWE-33512 documents8 sources
Severity
5.9MEDIUM
EPSS
0.6%
top 29.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla Network Security ServicesNSS Network Security Services (nss)
Timeline
PublishedApr 29
Latest updateMay 24

Description

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

Debiannss< 2:3.39-1+3
Ubuntunss< 2:3.28.4-0ubuntu0.14.04.4+2
CVEListV5nss/network_security_services_(nss)All versions prior to NSS 3.39

🔴Vulnerability Details

5
GHSA
GHSA-rg3c-6wcj-37gm: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead2022-05-24
OSV
jackson-databind vulnerabilities2021-03-15
OSV
CVE-2018-12384: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead2019-04-29
CVEList
CVE-2018-12384: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead2019-04-29
OSV
nss vulnerabilities2019-01-09

📋Vendor Advisories

4
Ubuntu
NSS vulnerabilities2019-02-18
Ubuntu
NSS vulnerabilities2019-01-09
Red Hat
nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello2018-09-03
Debian
CVE-2018-12384: nss - When handling a SSLv2-compatible ClientHello request, the server doesn't generat...2018

💬Community

2
Bugzilla
CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello [fedora-all]2018-09-03
Bugzilla
CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello2018-08-24