CVE-2015-8960
First published: Wed Sep 21 2016(Updated: )
The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IETF Transport Layer Security | <=1.2 | |
| Apple Mobile Safari | ||
| Google Chrome | ||
| Internet Explorer | ||
| Mozilla Firefox | ||
| Opera | ||
| netapp clustered data ontap antivirus connector | ||
| NetApp Data ONTAP Edge | ||
| netapp host agent | ||
| NetApp OnCommand Shift | ||
| netapp plug-in for symantec netbackup | ||
| netapp smi-s provider | ||
| NetApp Snap Creator Framework | ||
| NetApp SnapDrive for Unix | ||
| netapp snapdrive windows | ||
| netapp snapmanager Oracle | ||
| netapp snapmanager sap | ||
| NetApp SnapProtect | ||
| netapp solidfire \& hci management node | ||
| NetApp System Setup |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://twitter.com/matthew_d_green/statuses/630908726950674433
- http://www.openwall.com/lists/oss-security/2016/09/20/4
- http://www.securityfocus.com/bid/93071
- https://kcitls.org
- https://security.netapp.com/advisory/ntap-20180626-0002/
- https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf
Frequently Asked Questions
What is the severity of CVE-2015-8960?
CVE-2015-8960 has a medium severity rating due to the potential risk of cryptographic vulnerabilities in the TLS protocol.
How do I fix CVE-2015-8960?
To fix CVE-2015-8960, update to a version of the TLS protocol that addresses the identified weaknesses, typically by upgrading to TLS 1.3 or later.
Which software is affected by CVE-2015-8960?
CVE-2015-8960 affects the IETF Transport Layer Security up to version 1.2, as well as certain NetApp software products.
Is CVE-2015-8960 exploitable in all environments?
CVE-2015-8960 is not universally exploitable and may depend on specific configurations and implementations of TLS.
What are the implications of CVE-2015-8960 for secure communications?
The implications of CVE-2015-8960 for secure communications include potential exposure to attacks that could compromise the confidentiality and integrity of data transmitted over TLS.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ietf
- canonical/ietf transport layer security
- version/ietf transport layer security/1.2
- vendor/apple
- canonical/apple mobile safari
- vendor/google
- canonical/google chrome
- vendor/microsoft
- canonical/internet explorer
- vendor/mozilla
- canonical/mozilla firefox
- vendor/opera
- canonical/opera
- vendor/netapp
- canonical/netapp clustered data ontap antivirus connector
- canonical/netapp data ontap edge
- canonical/netapp host agent
- canonical/netapp oncommand shift
- canonical/netapp plug-in for symantec netbackup
- canonical/netapp smi-s provider
- canonical/netapp snap creator framework
- canonical/netapp snapdrive for unix
- canonical/netapp snapdrive windows
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- canonical/netapp snapprotect
- canonical/netapp solidfire \& hci management node
- canonical/netapp system setup