Security Bulletin: Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem 840 and V840 (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544, CVE-2014-1545)

Summary

NSS & NSPR vulnerabilities affect the IBM FlashSystem 840 and V840 products. These vulnerabilities could allow a remote attacker to execute arbitrary code, on the system, to obtain sensitive information, or cause Denial of Service.

Vulnerability Details

1. CVE-ID: CVE-2013-1740

DESCRIPTION: Mozilla Network Security Services could allow a remote attacker to obtain sensitive information, caused by an error in the ssl_Do1stHandshake() function. An attacker could exploit this vulnerability to return unencrypted, unauthenticated data from PR_Recv.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5.8 / 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90394 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

--------------------------------------------------------------
2. CVE-ID: CVE-2014-1490

DESCRIPTION: Mozilla Firefox,Thunderbird and SeaMonkey, using the Mozilla Network Security Services (NSS) library, could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in libssl’s session ticket processing. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5 / 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

--------------------------------------------------------------
3. CVE-ID: CVE-2014-1491

DESCRIPTION: An unspecified error in Mozilla Firefox,Thunderbird and SeaMonkey using the Mozilla Network Security Services (NSS) library has an unknown impact and attack vector.
Affected Versions: Mozilla Network Security Services (NSS) before 3.15.4
CVSS Base Score: 5 / 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90886 for the current score
CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

--------------------------------------------------------------
4. CVE-ID: CVE-2014-1492

DESCRIPTION: An unspecified error in Mozilla Network Security Services (NSS) related to the processing of wildcard characters embedded within the U-label of an internationalized domain name in a wildcard certificate has an unknown impact and remote attack vector.
CVSS Base Score: 4.3 / 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91988 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

--------------------------------------------------------------
5. CVE-ID: CVE-2014-1544

DESCRIPTION: Mozilla Firefox and Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the PK11_ImportCert() function when adding NSSCertificate structures. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Affected Versions: NSS 3.x used in Firefox before 31.0, and Firefox ESR 24.x before 24.7
CVSS Base Score: 10.0 / 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

--------------------------------------------------------------
6. CVE-ID: CVE-2014-1545

DESCRIPTION: Mozilla Netscape Portable Runtime (NSPR) could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write error in the sprintf and console functions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Affected Versions: Mozilla Netscape Portable Runtime (NSPR) before 4.10.6
CVSS Base Score: 10.0 / 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93715 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM FlashSystem 840:
Machine Type 9840, model -AE1 (all supported releases before 1.1.2.7)
Machine Type 9843, model -AE1 (all supported releases before 1.1.2.7)

IBM FlashSystem V840:
Machine Type 9846, model -AE1 (all supported releases before 1.1.2.7)
Machine Type 9848, model -AE1 (all supported releases before 1.1.2.7)
Machine Type 9846, models -AC0, & -AC1 (all supported releases before 7.3.0.7)
Machine Type 9848, models -AC0, & -AC1 (all supported releases before 7.3.0.7)

Remediation/Fixes

IBM recommends that you promptly fix this vulnerability by upgrading affected versions of IBM FlashSystem 840 and V840 systems to the following code level or higher:

for 840 & V840 machine types 9840, 9846, & 9848, –AE1 models: 1.1.2.7
for V840 machine types 9846 & 9848, –AC0 & -AC1 models: 7.3.0.7

In addition, IBM recommends that you review your entire environment to identify vulnerable releases of NSS & NSPR in other (e.g. non-IBM products and versions) including in your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.

Workarounds and Mitigations

None known