CVE-2020-12400
published 2020-10-08CVE-2020-12400: When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side…
PriorityP418medium4.7CVSS 3.1
AVLACHPRLUINSUCHINAN
EPSS
0.27%
18.4th percentile
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 80.0-1 (sid) | firefox 80.0-1 (sid) |
| debian | nss | < firefox 80.0-1 (sid) | firefox 80.0-1 (sid) |
| mozilla | firefox | < 80.0 | 80.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 80.0+build2-0ubuntu0.16.04.1 | 80.0+build2-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 80.0.1+build1-0ubuntu0.16.04.1 | 80.0.1+build1-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 80.0+build2-0ubuntu0.18.04.1 | 80.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 80.0.1+build1-0ubuntu0.18.04.1 | 80.0.1+build1-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 80.0+build2-0ubuntu0.20.04.1 | 80.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 0 < 80.0.1+build1-0ubuntu0.20.04.1 | 80.0.1+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 80 | 80 |
| mozilla | firefox_for_android | >= unspecified < 80 | 80 |
| mozilla | nss | >= 0 < 2:3.55-1 | 2:3.55-1 |
| mozilla | nss | >= 0 < 2:3.55-1 | 2:3.55-1 |
| mozilla | nss | >= 0 < 2:3.55-1 | 2:3.55-1 |
| mozilla | nss | >= 0 < 2:3.55-1 | 2:3.55-1 |
| mozilla | nss | >= 0 < 2:3.28.4-0ubuntu0.16.04.13 | 2:3.28.4-0ubuntu0.16.04.13 |
| mozilla | nss | >= 0 < 2:3.35-2ubuntu2.11 | 2:3.35-2ubuntu2.11 |
| mozilla | nss | >= 0 < 2:3.49.1-1ubuntu1.4 | 2:3.49.1-1ubuntu1.4 |
| mozilla | nss | >= 0 < 2:3.28.4-0ubuntu0.14.04.5+esm7 | 2:3.28.4-0ubuntu0.14.04.5+esm7 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.01.2LOWAV:L/AC:H/Au:N/C:P/I:N/A:N
osv4.7MEDIUM
vendor_debian4.7MEDIUM
vendor_redhat4.7MEDIUM
vendor_ubuntu4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-38vr-4p57-8h9g: When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based
ghsa_unreviewed·2022-05-24
CVE-2020-12400 [MEDIUM] CWE-200 GHSA-38vr-4p57-8h9g: When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
OSV
CVE-2020-12400: When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based
osv·2020-10-08·CVSS 4.7
CVE-2020-12400 [MEDIUM] CVE-2020-12400: When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
OSV
firefox regressions
osv·2020-09-03·CVSS 4.7
[MEDIUM] firefox regressions
firefox regressions
USN-4474-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, trick the user
in to installing a malicious extension, spoof the URL bar, leak sensitive
information between origins, or execute arbitrary code. (CVE-2020-15664,
CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-
OSV
firefox vulnerabilities
osv·2020-08-26·CVSS 4.7
CVE-2020-15664 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, trick the user
in to installing a malicious extension, spoof the URL bar, leak sensitive
information between origins, or execute arbitrary code. (CVE-2020-15664,
CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)
A data race was discovered when importing certificate information in to
the trust store. An attacker could potentially exploit this to cause an
unspecified impact. (CVE-2020-15668)
OSV
nss vulnerabilities
osv·2020-08-10·CVSS 4.7
CVE-2020-12400 [MEDIUM] nss vulnerabilities
nss vulnerabilities
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)
Ubuntu
Firefox regressions
vendor_ubuntu·2020-09-03·CVSS 4.7
[MEDIUM] Firefox regressions
Title: Firefox regressions
Summary: USN-4474-1 caused some minor regressions in Firefox.
USN-4474-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, trick the user
in to installing a malicious extension, spoof the URL bar, leak sensitive
information between origins, or execute arbitrary code. (CVE-2020-15664,
CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to ex
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-08-26·CVSS 4.7
CVE-2020-15666 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, trick the user
in to installing a malicious extension, spoof the URL bar, leak sensitive
information between origins, or execute arbitrary code. (CVE-2020-15664,
CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)
A data race was discovered when importing certificate information in
Ubuntu
NSS vulnerabilities
vendor_ubuntu·2020-08-10·CVSS 4.7
CVE-2020-12400 [MEDIUM] NSS vulnerabilities
Title: NSS vulnerabilities
Summary: Several security issues were fixed in NSS.
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
vendor_redhat·2020-07-28·CVSS 4.7
CVE-2020-12400 [MEDIUM] CWE-327 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality.
Statement: This is a side-channel attack that can be used to exact pirate keys when ECDSA signatures are being generated. Th
Debian
CVE-2020-12400: firefox - When converting coordinates from projective to affine, the modular inversion was...
vendor_debian·2020·CVSS 4.7
CVE-2020-12400 [MEDIUM] CVE-2020-12400: firefox - When converting coordinates from projective to affine, the modular inversion was...
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
Scope: local
sid: resolved (fixed in 80.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-39: CVE-2020-12400
vendor_mozilla·CVSS 4.7
CVE-2020-12400 [MEDIUM] Mozilla Foundation Security Advisory 2020-39: CVE-2020-12400
Mozilla Foundation Security Advisory 2020-39
CVE: CVE-2020-12400
Product: Firefox for Android
Impact: high
Fixed in: Firefox for Android 80
Mozilla
Mozilla Foundation Security Advisory 2020-36: CVE-2020-12400
vendor_mozilla·CVSS 4.7
CVE-2020-12400 [MEDIUM] Mozilla Foundation Security Advisory 2020-36: CVE-2020-12400
Mozilla Foundation Security Advisory 2020-36
CVE: CVE-2020-12400
Product: Firefox
Impact: high
Fixed in: Firefox 80
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function [fedora-all]
bugzilla·2020-07-31·CVSS 4.7
CVE-2020-12400 [MEDIUM] CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function [fedora-all]
CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: th
Bugzilla
CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
bugzilla·2020-07-06·CVSS 4.7
CVE-2020-12400 [MEDIUM] CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
As per the researcher:
During our analysis to several cryptographic libraries we focused on NIST curve P-256 code paths and have found that your library is potentially vulnerable because the projective to affine coordinates conversion uses a side-channel vulnerable modular inversion function.
Discussion:
Acknowledgments:
Name: the Mozilla Project
Upstream: Cesar Pereida Garcia and the Network and Information Security Group (NISEC)
---
This issue is related to CVE-2020-6829 and is resolved in the same commit at:
https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c
https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0
---
Bugzilla
CVE-2020-6829 nss: Side channel attack on ECDSA signature generation
bugzilla·2020-04-21·CVSS 4.7
CVE-2020-6829 [MEDIUM] CVE-2020-6829 nss: Side channel attack on ECDSA signature generation
CVE-2020-6829 nss: Side channel attack on ECDSA signature generation
Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key.
Discussion:
OpenShift 4.x only packages nss-altfiles and has been confirmed to *not* share any of the vulnerable signature code:
- nss-altfiles only reads information from files in the same format as /etc/passwd and /etc/group.
---
Acknowledgments:
Name: the Mozilla Project
Upstream: Cesar Pereida (Network and Information Security Group (NISEC), Billy Bob Brumley (Network and Infor
Bugzilla
P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
bugzilla·2020-03-17
P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
Mail to security@ from Alejandro Cabrera Aldaya:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
We recently dig into how the EC projective coordinates attack proposed in [1] could affect NSS.
The attack in [1] aims at recover some bits of the scalar starting from the projective representation
of an scalar multiplication output point.
Schemes like ECDSA are very sensitive to scalar leaks, therefore the attack in [1] can thwarts the security of an implementation if the attacker knows the projective representation of the product kG in ECDSA.
The success rate of the attack proposed in [1] depends on several factors such as:
* Elliptic curve form (Weierstrass, Montogmery, etc.)
* The
https://bugzilla.mozilla.org/show_bug.cgi?id=1623116https://lists.debian.org/debian-lts-announce/2023/02/msg00021.htmlhttps://www.mozilla.org/security/advisories/mfsa2020-36/https://www.mozilla.org/security/advisories/mfsa2020-39/https://bugzilla.mozilla.org/show_bug.cgi?id=1623116https://lists.debian.org/debian-lts-announce/2023/02/msg00021.htmlhttps://www.mozilla.org/security/advisories/mfsa2020-36/https://www.mozilla.org/security/advisories/mfsa2020-39/
2020-10-08
Published