TLS False Start Vulnerability in Mozilla NSS
CVE-2013-1740

Currently unrated

Key Information:

Vendor: Mozilla
Status: Network Security Services
Vendor: CVE Published:; 18 January 2014

What is CVE-2013-1740?

The vulnerability exists in the ssl_Do1stHandshake function within the libssl component of Mozilla's Network Security Services (NSS). When the TLS False Start feature is enabled, it exposes the system to man-in-the-middle attackers who can exploit this flaw to spoof SSL servers using arbitrary X.509 certificates during specific handshake traffic, thus compromising secure communications.

References

http://www.oracle.com/technetwork/topics/security/ovmbull...

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2014...

vendor-advisoryx_refsource_SUSE

http://www.vmware.com/security/advisories/VMSA-2014-0012....

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 18, 2014
Vulnerability Reserved
Feb 13, 2013

JSON