CVE-2015-2721
Last modified
CVE-2015-2721 is a vulnerability of currently unknown severity. Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.. EPSS estimates a 3.28% chance of exploitation in the next 30 days.
Description
Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Novell | Suse Linux Enterprise Software Development Kit | 12.0 | — |
| Canonical | Ubuntu Linux | 12.04 | — |
| Canonical | Ubuntu Linux | 14.04 | — |
| Canonical | Ubuntu Linux | 14.10 | — |
| Canonical | Ubuntu Linux | 15.04 | — |
| Debian | Debian Linux | 7.0 | — |
| Debian | Debian Linux | 8.0 | — |
| Novell | Suse Linux Enterprise Desktop | 12.0 | — |
| Novell | Suse Linux Enterprise Server | 11 | Sp4 |
| Novell | Suse Linux Enterprise Server | 12.0 | — |
| Mozilla | Network Security Services | 3.19 | — |
| Oracle | Solaris | 11.3 | — |
| Oracle | Vm Server | 3.2 | — |
References
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.htmlThird Party Advisory
- http://www.debian.org/security/2015/dsa-3324Third Party Advisory
- http://www.debian.org/security/2015/dsa-3336Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlThird Party Advisory
- http://www.securityfocus.com/bid/91787Third Party Advisory
- http://www.ubuntu.com/usn/USN-2673-1Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1086145Exploit, Issue Tracking, VDB Entry, Vendor Advisory
- https://smacktls.comTechnical Description
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00033.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00034.htmlThird Party Advisory
- http://www.debian.org/security/2015/dsa-3324Third Party Advisory
- http://www.debian.org/security/2015/dsa-3336Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlThird Party Advisory
- http://www.securityfocus.com/bid/91787Third Party Advisory
- http://www.ubuntu.com/usn/USN-2673-1Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1086145Exploit, Issue Tracking, VDB Entry, Vendor Advisory
- https://smacktls.comTechnical Description
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2015-2721?
How severe is CVE-2015-2721?
How do I fix CVE-2015-2721?
Are you affected by CVE-2015-2721?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST