Netscape NSS Library Record Parsing Buffer Overflow

NSS is a set of open source crypto libraries which help implement and design cross platform applications that use SSL and S/MIME for encryption purposes.

A vulnerability exists in the SSL version 2 parsing engine of Netscape's Network Security Server. A "Client Hello" message request with an excessive challenge length (greater than 32 Bytes) leads to a buffer overflow. A malicious user may use this vulnerability and overwrite the heap with arbitrary data, which may lead to arbitrary remote code execution on the target machine and gain complete control over it, as the NSS service runs under Root privileges.

Users of VPN-1 NG with Application Intelligence R55W and InterSpect will receive the following logs:

Attack name: VPN Protection (for all logs)

Attack Information may vary:
Malformed SSL packet detected
SSLv2: Illegal Server Hello handshake type
SSLv2: Illegal Client Hello message type
SSLv2: Malformed packet (field lengths do not match)
SSLv2: Illegal protocol version number
SSLv2: Illegal Client Hello CipherSuites length
SSLv2: Illegal Client Hello Session ID length
SSLv2: Illegal Client Hello Challenge length
SSLv3: Illegal protocol version number
SSLv3: Illegal Server Hello handshake type
SSLv3: Illegal Session ID length
SSLv3: Malformed packet (field lengths do not match)
SSLv3: Illegal Client Hello compression methods length
SSLv3: Illegal Client Hello CipherSuites length

Users of VPN-1 NG AI R55 and InterSpect should update their SmartDefense to the latest update by pressing the Update Now button in the SmartDefense General tab.  This update includes an enhancement for the already existing SSL protections.

To apply the protection (R55, R55W and InterSpect):

1. From the SmartDefense menu, select Application Intelligence > VPN Protocols > Block SSL null-pointer assignment.
2. Install policy on all modules.

SunSolve ID: 57643
CPAI-2004-19