First published: Mon Jul 06 2020(Updated: )
A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nspr | <0:4.25.0-2.el7_9 | 0:4.25.0-2.el7_9 |
redhat/nss | <0:3.53.1-3.el7_9 | 0:3.53.1-3.el7_9 |
redhat/nss-softokn | <0:3.53.1-6.el7_9 | 0:3.53.1-6.el7_9 |
redhat/nss-util | <0:3.53.1-1.el7_9 | 0:3.53.1-1.el7_9 |
redhat/nss | <0:3.53.1-17.el8_3 | 0:3.53.1-17.el8_3 |
All of | ||
Mozilla Firefox | =80 | |
Google Android | ||
redhat/nss | <3.55 | 3.55 |
Mozilla Firefox | <80 | 80 |
Mozilla Firefox | <80.0 | |
Mozilla Firefox | <80.0 | |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2020-12400 is a vulnerability in Mozilla Network Security Services (NSS) that allows a local authenticated attacker to obtain sensitive information.
CVE-2020-12400 could allow a local authenticated attacker to obtain sensitive information in Mozilla Firefox.
An attacker can exploit CVE-2020-12400 by leveraging a side-channel flaw in the way P-384 and P-521 curves are used in the generation of EDSA signatures.
The severity of CVE-2020-12400 is medium, with a CVSS score of 4.4.
To fix CVE-2020-12400, it is recommended to update Mozilla Firefox to version 80 or apply the necessary patches provided by the vendor.