Vulnerability Details : CVE-2016-1938
The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.
Products affected by CVE-2016-1938
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:nss:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1938
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1938
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
CWE ids for CVE-2016-1938
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1938
-
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html
[security-announce] openSUSE-SU-2016:0306-1: important: Security updateThird Party Advisory
-
https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c
bignum-fuzz/CVE-2016-1938-nss-mp_exptmod.c at master · hannob/bignum-fuzz · GitHub
-
http://www.ubuntu.com/usn/USN-2903-1
USN-2903-1: NSS vulnerability | Ubuntu security notices
-
http://www.securityfocus.com/bid/91787
Oracle July 2016 Critical Patch Update Multiple VulnerabilitiesThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html
[security-announce] openSUSE-SU-2016:0309-1: important: Security updateThird Party Advisory
-
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes
NSS 3.21 release notes - Mozilla | MDNVendor Advisory
-
http://www.securitytracker.com/id/1034825
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Spoof the Address Bar, Bypass Security Restrictions, and Deny Service - SecurityTracker
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1194947
Bugzilla.mozilla.org is offlineIssue Tracking
-
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Oracle Critical Patch Update - July 2016Third Party Advisory
-
https://security.gentoo.org/glsa/201605-06
Mozilla Products: Multiple vulnerabilities (GLSA 201605-06) — Gentoo security
-
https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c
nss: diff lib/freebl/mpi/mpi.c
-
http://www.ubuntu.com/usn/USN-2973-1
USN-2973-1: Thunderbird vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00010.html
[security-announce] SUSE-SU-2016:0338-1: important: Security update for
-
https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html
Mozilla NSS: Wrong calculation results in mp_div() and mp_exptmod() | The Fuzzing Project
-
http://www.ubuntu.com/usn/USN-2880-2
USN-2880-2: Firefox regression | Ubuntu security notices
-
http://www.ubuntu.com/usn/USN-2903-2
USN-2903-2: NSS regression | Ubuntu security notices
-
http://www.securityfocus.com/bid/81955
Mozilla Network Security Services CVE-2016-1938 Weak Encryption Multiple Security Weaknesses
-
http://www.ubuntu.com/usn/USN-2880-1
USN-2880-1: Firefox vulnerabilities | Ubuntu security notices
-
http://www.mozilla.org/security/announce/2016/mfsa2016-07.html
Errors in mp_div and mp_exptmod cryptographic functions in NSS — MozillaVendor Advisory
-
https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c
bignum-fuzz/CVE-2016-1938-nss-mp_div.c at master · hannob/bignum-fuzz · GitHub
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1190248
Bugzilla.mozilla.org is offlineIssue Tracking
-
http://www.debian.org/security/2016/dsa-3688
Debian -- Security Information -- DSA-3688-1 nss
-
https://security.gentoo.org/glsa/201701-46
Mozilla Network Security Service (NSS): Multiple vulnerabilities (GLSA 201701-46) — Gentoo security
Jump to