'Critical' Netscape NSS Library Flaw

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Internet security outfit ISS X-Force has discovered a serious vulnerability in the Netscape Network Security Services (NSS) library suite that could allow attackers to hijack compromised servers.

The flaw affects the Netscape Enterprise Server and Sun's Open Net Environment (Sun ONE), two widely used commercial Web server platforms that make use of the NSS library.

According to an advisory released by ISS X-Force, the flaw could result in harmful code execution on vulnerable systems during SSLv2 (Secure Sockets Layer) negotiation.

Research firm Secunia has tagged the vulnerability as ''highly critical''.

''If the SSLv2 protocol is enabled on vulnerable servers, a remote unauthenticated attacker may trigger a buffer overflow condition and execute arbitrary code. This has the potential to result in complete compromise of the target server, and exposure of any information held therein,'' ISS X-Force warned.

In addition, SSL is often used to secure sensitive or valuable communications, making this a high-value target for attackers.

Affected products include all known versions of the Netscape Enterprise Server (NES), the Netscape Personalization Engine (NPE), the Netscape Directory Server (NDS) and the Netscape Certificate Management Server (CMS).

Users of Sun's iPlanet and Sun ONE also are at risk.

ISS X-Force said any application or product that integrates the NSS library suite and implements SSLv2 ciphers was vulnerable.

The NSS library is predominantly used by Netscape Enterprise Server (NES) and Sun ONE/Sun Java System Web Server to serve Web content. It is publicly available as an open-source component from the Mozilla Foundation.

''Although Netscape Enterprise Server and Sun ONE are the most likely targets for attack, due to the open source nature of the component, there may be additional affected products that are not listed above,'' according to the advisory.

This article was first published on InternetNews.com. To read the full article, click here.

Submit a Comment

Loading Comments...