CVE-2020-12413 — Observable Discrepancy in Mozilla Firefox

CWE-203 — Observable Discrepancy CWE-385 — Covert Timing Channel CWE-200 — Sensitive Information Exposure9 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 49.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla NSS

Timeline

PublishedFeb 16

Latest updateFeb 17

Description

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5mozilla/firefoxunspecified — 78

▶NVDmozilla/firefox< 78.0

▶CVEListV5mozilla/firefox_esrunspecified — 68.10

▶NVDmozilla/firefox_esr< 68.10.0

▶Debianmozilla/nss< 2:3.17-1+3

🔴Vulnerability Details

GHSA

GHSA-4mgq-9qgw-ghcx: The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification↗2023-02-17

▶

OSV

CVE-2020-12413: The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification↗2023-02-16

▶

CVEList

CVE-2020-12413: The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification↗2023-02-16

▶

📋Vendor Advisories

Red Hat

nss: Information exposure when DH secret are reused across multiple TLS connections↗2020-09-09

▶

Debian

CVE-2020-12413: nss - The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS spe...↗2020

▶

💬Community

Bugzilla

CVE-2020-12413 nss: Information exposure when DH secret are reused across multiple TLS connections↗2020-09-09

▶

Bugzilla

CVE-2020-12413 nss: Information exposure when DH secret are reused across multiple TLS connections [fedora-all]↗2020-09-09

▶

Bugzilla

Raccoon Attack (TLS specification timing side-channel)↗2020-05-29

▶