CVE-2015-7575 Information

Description

Mozilla Network Security Services (NSS) before 3.20.2 as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2 does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html http://rhn.redhat.com/errata/RHSA-2016-0049.html http://rhn.redhat.com/errata/RHSA-2016-0050.html http://rhn.redhat.com/errata/RHSA-2016-0053.html http://rhn.redhat.com/errata/RHSA-2016-0054.html http://rhn.redhat.com/errata/RHSA-2016-0055.html http://rhn.redhat.com/errata/RHSA-2016-0056.html http://www.debian.org/security/2016/dsa-3436 http://www.debian.org/security/2016/dsa-3437 http://www.debian.org/security/2016/dsa-3457 http://www.debian.org/security/2016/dsa-3458 http://www.debian.org/security/2016/dsa-3465 http://www.debian.org/security/2016/dsa-3491 http://www.debian.org/security/2016/dsa-3688 http://www.mozilla.org/security/announce/2015/mfsa2015-150.html http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html http://www.securityfocus.com/bid/79684 http://www.securityfocus.com/bid/91787 http://www.securitytracker.com/id/1034541 http://www.securitytracker.com/id/1036467 http://www.ubuntu.com/usn/USN-2863-1 http://www.ubuntu.com/usn/USN-2864-1 http://www.ubuntu.com/usn/USN-2865-1 http://www.ubuntu.com/usn/USN-2866-1 http://www.ubuntu.com/usn/USN-2884-1 http://www.ubuntu.com/usn/USN-2904-1 https://access.redhat.com/errata/RHSA-2016:1430 https://bugzilla.mozilla.org/show_bug.cgi?id=1158489 https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes https://security.gentoo.org/glsa/201701-46 https://security.gentoo.org/glsa/201706-18 https://security.gentoo.org/glsa/201801-15 https://security.netapp.com/advisory/ntap-20160225-0001/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.9