RealTime IT News

'Critical' Netscape NSS Library Flaw

Internet security outfit ISS X-Force has discovered a serious vulnerability in the Netscape Network Security Services (NSS) library suite that could allow attackers to hijack compromised servers.

The flaw affects the Netscape Enterprise Server and Sun's Open Net Environment (Sun ONE), two widely used commercial Web server platforms that make use of the NSS library.

According to an advisory released by ISS X-Force, the flaw could result in harmful code execution on vulnerable systems during SSLv2 (Secure Sockets Layer) negotiation.

Research firm Secunia has tagged the vulnerability as "highly critical."

"If the SSLv2 protocol is enabled on vulnerable servers, a remote unauthenticated attacker may trigger a buffer overflow condition and execute arbitrary code. This has the potential to result in complete compromise of the target server, and exposure of any information held therein," ISS X-Force warned.

In addition, SSL is often used to secure sensitive or valuable communications, making this a high-value target for attackers.

Affected products include all known versions of the Netscape Enterprise Server (NES), the Netscape Personalization Engine (NPE), the Netscape Directory Server (NDS) and the Netscape Certificate Management Server (CMS).

Users of Sun's iPlanet and Sun ONE are also at risk.

ISS X-Force said any application or product that integrates the NSS library suite and implements SSLv2 ciphers was vulnerable.

The NSS library is predominantly used by Netscape Enterprise Server (NES) and Sun ONE/Sun Java System Web Server to serve Web content. It is publicly available as an open-source component from the Mozilla Foundation.

"Although Netscape Enterprise Server and Sun ONE are the most likely targets for attack, due to the open source nature of the component, there may be additional affected products that are not listed above," according to the advisory.

The specific flaw was found in in SSLv2 record parsing. When parsing the first record in an SSLv2 negotiation, the client hello message, the server fails to validate the length of a record field. "As a result, it is possible for an attacker to trigger a heap-based overflow of arbitrary length. The SSLv2 protocol is disabled by default in Netscape Enterprise Server and Sun ONE; however it is believed to be common practice to enable this protocol, and a significant percentage of the install base is likely affected."

The company said successful exploitation of the flaw would grant an attacker the privilege level at which the web server was executing. On Windows platforms, this will likely be full system privileges, while on other platforms this may be restricted to a non-root account.

Secunia also issued a warning for a separate flaw in Sun Solaris systems running Apache that puts users at risk of security bypass, spoofing and Denial of Service and system access attacks.

That vulnerability also carries a "highly critical" rating.

Sun has acknowledged the vulnerabilities in Apache for Solaris and released patches on its security Web site.