Lucene search

K

[email protected]NVD:CVE-2016-1938

HistoryJan 31, 2016 - 6:59 p.m.

CVE-2016-1938

2016-01-3118:59:05

CWE-310

[email protected]

web.nvd.nist.gov

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

7.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.2%

The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.

Affected configurations

NVD

Node

opensuseleapMatch42.1

OR

opensuseopensuseMatch13.1

OR

opensuseopensuseMatch13.2

Node

mozillanssRange≤3.20.1

AND

mozillafirefoxRange≤43.0.4

References

lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html

lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html

lists.opensuse.org/opensuse-security-announce/2016-02/msg00010.html

www.debian.org/security/2016/dsa-3688

www.mozilla.org/security/announce/2016/mfsa2016-07.html

www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

www.securityfocus.com/bid/81955

www.securityfocus.com/bid/91787

www.securitytracker.com/id/1034825

www.ubuntu.com/usn/USN-2880-1

www.ubuntu.com/usn/USN-2880-2

www.ubuntu.com/usn/USN-2903-1

www.ubuntu.com/usn/USN-2903-2

www.ubuntu.com/usn/USN-2973-1

blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html

bugzilla.mozilla.org/show_bug.cgi?id=1190248

bugzilla.mozilla.org/show_bug.cgi?id=1194947

developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes

github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c

github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c

hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c

security.gentoo.org/glsa/201605-06

security.gentoo.org/glsa/201701-46

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

7.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.2%

Related for NVD:CVE-2016-1938

openvas18 ubuntu5 prion1 ubuntucve1 debiancve1 cvelist1 nessus26 osv3 mozilla1 debian3 cve1 freebsd1 suse4 gentoo2 kaspersky1 oracle1 ibm1