‘Critical’ Netscape NSS Library Flaw

Internet security outfit ISS X-Force has discovered a serious
vulnerability in the Netscape Network Security Services (NSS) library
suite that could allow attackers to hijack compromised servers.

The flaw affects the Netscape Enterprise Server and Sun’s
Open Net Environment (Sun ONE), two widely used commercial Web server
platforms that make use of the NSS library.

According to an advisory released
by ISS X-Force, the flaw could result in harmful code execution on
vulnerable systems during SSLv2 (Secure Sockets Layer) negotiation.

Research firm Secunia has tagged the vulnerability as “highly
critical.”

“If the SSLv2 protocol is enabled on vulnerable servers, a remote
unauthenticated attacker may trigger a buffer overflow condition and
execute arbitrary code. This has the potential to result in complete
compromise of the target server, and exposure of any information held
therein,” ISS X-Force warned.

In addition, SSL is often used to secure sensitive or
valuable communications, making this a high-value target for attackers.

Affected products include all known versions of the Netscape
Enterprise Server (NES), the Netscape Personalization Engine (NPE), the
Netscape Directory Server (NDS) and the Netscape Certificate Management
Server (CMS).

Users of Sun’s iPlanet and Sun ONE are also
at risk.

ISS X-Force said any application or product that integrates the NSS
library suite and implements SSLv2 ciphers was vulnerable.

The NSS library is predominantly used by Netscape Enterprise Server
(NES) and Sun ONE/Sun Java System Web Server to serve Web content. It
is publicly available as an open-source component from the Mozilla
Foundation.

“Although Netscape Enterprise Server and Sun ONE are the
most likely targets for attack, due to the open source nature of the
component, there may be additional affected products that are not listed
above,” according to the advisory.

The specific flaw was found in in SSLv2 record parsing. When parsing
the first record in an SSLv2 negotiation, the client hello message, the
server fails to validate the length of a record field. “As a result, it
is possible for an attacker to trigger a heap-based overflow of
arbitrary length. The SSLv2 protocol is disabled by default in Netscape
Enterprise Server
and Sun ONE; however it is believed to be common practice to enable this
protocol, and a significant percentage of the install base is likely
affected.”

The company said successful exploitation of the flaw would grant an
attacker the privilege level at which the web server was executing. On
Windows platforms, this will likely be full system privileges, while on
other platforms this may be restricted to a non-root account.

Secunia also issued a warning for a separate
flaw in Sun Solaris systems running Apache that puts users at risk of
security bypass, spoofing and Denial of Service and system access attacks.

That vulnerability also carries a “highly critical” rating.

Sun has acknowledged the vulnerabilities in Apache for Solaris and released
patches on its security Web site.