CVE-2019-17023
published 2020-01-08CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State…
PriorityP427medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
1.34%
67.9th percentile
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 72.0-1 (sid) | firefox 72.0-1 (sid) |
| debian | nss | < firefox 72.0-1 (sid) | firefox 72.0-1 (sid) |
| mozilla | firefox | < 72.0 | 72.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | nss | >= 0 < 2:3.49-1 | 2:3.49-1 |
| mozilla | nss | >= 0 < 2:3.49-1 | 2:3.49-1 |
| mozilla | nss | >= 0 < 2:3.49-1 | 2:3.49-1 |
| mozilla | nss | >= 0 < 2:3.49-1 | 2:3.49-1 |
| mozilla | nss | >= 0 < 2:3.28.4-0ubuntu0.16.04.11 | 2:3.28.4-0ubuntu0.16.04.11 |
| mozilla | nss | >= 0 < 2:3.35-2ubuntu2.8 | 2:3.35-2ubuntu2.8 |
| mozilla | nss | >= 0 < 2:3.49.1-1ubuntu1.1 | 2:3.49.1-1ubuntu1.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
NSS vulnerabilities
vendor_ubuntu·2020-06-16·CVSS 6.5
CVE-2019-17023 [MEDIUM] NSS vulnerabilities
Title: NSS vulnerabilities
Summary: Several security issues were fixed in NSS.
It was discovered that NSS incorrectly handled the TLS State Machine. A
remote attacker could possibly use this issue to cause NSS to hang,
resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 19.10. (CVE-2019-17023)
Cesar Pereida Garcia discovered that NSS incorrectly handled DSA key
generation. A local attacker could possibly use this issue to perform a
timing attack and recover DSA keys. (CVE-2020-12399)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-01-09
CVE-2019-17016 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, bypass Content Security Policy (CSP) restrictions, conduct
cross-site scripting (XSS) attacks, or execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state
vendor_redhat·2020-01-08·CVSS 6.5
CVE-2019-17023 [MEDIUM] nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state
nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.
Statement: This flaw causes the client to hang when there is a downgrade attempt. Therefore no actual
Debian
CVE-2019-17023: firefox - After a HelloRetryRequest has been sent, the client may negotiate a lower protoc...
vendor_debian·2019·CVSS 6.5
CVE-2019-17023 [MEDIUM] CVE-2019-17023: firefox - After a HelloRetryRequest has been sent, the client may negotiate a lower protoc...
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
Scope: local
sid: resolved (fixed in 72.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-01: CVE-2019-17023
vendor_mozilla·CVSS 6.5
CVE-2019-17023 [MEDIUM] Mozilla Foundation Security Advisory 2020-01: CVE-2019-17023
Mozilla Foundation Security Advisory 2020-01
CVE: CVE-2019-17023
Product: Firefox
Impact: high
Fixed in: Firefox 72
GHSA
GHSA-86rq-87v9-7ppc: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1
ghsa_unreviewed·2022-05-24
CVE-2019-17023 [MEDIUM] CWE-287 GHSA-86rq-87v9-7ppc: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
OSV
nss vulnerabilities
osv·2020-06-16·CVSS 6.5
CVE-2019-17023 [MEDIUM] nss vulnerabilities
nss vulnerabilities
It was discovered that NSS incorrectly handled the TLS State Machine. A
remote attacker could possibly use this issue to cause NSS to hang,
resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 19.10. (CVE-2019-17023)
Cesar Pereida Garcia discovered that NSS incorrectly handled DSA key
generation. A local attacker could possibly use this issue to perform a
timing attack and recover DSA keys. (CVE-2020-12399)
OSV
CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1
osv·2020-01-08·CVSS 6.5
CVE-2019-17023 [MEDIUM] CVE-2019-17023: After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1590001https://usn.ubuntu.com/4234-1/https://usn.ubuntu.com/4397-1/https://www.debian.org/security/2020/dsa-4726https://www.mozilla.org/security/advisories/mfsa2020-01/https://bugzilla.mozilla.org/show_bug.cgi?id=1590001https://usn.ubuntu.com/4234-1/https://usn.ubuntu.com/4397-1/https://www.debian.org/security/2020/dsa-4726https://www.mozilla.org/security/advisories/mfsa2020-01/
2020-01-08
Published