The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Mozilla NSS, NSPR: privilege escalation via SUID

Synthesis of the vulnerability 

An attacker can in some cases use an environment variable with a suid program linked to Mozilla NSS or NSPR, in order to escalate his privileges.
Vulnerable products: Debian, NSPR, NSS, openSUSE, openSUSE Leap.
Severity of this weakness: 2/4.
Creation date: 03/10/2016.
Références of this bulletin: 1174015, DLA-676-1, DLA-677-1, DSA-3687-1, DSA-3688-1, openSUSE-SU-2016:0731-1, openSUSE-SU-2016:0733-1, VIGILANCE-VUL-20748.

Description of the vulnerability 

The Mozilla NSS and NSPR libraries use environment variables.

However, if the program linked to NSS/NSPR is suid, the library uses getenv() instead of secure_getenv(). Environment variables which are potentially dangerous are thus not filtered.

An attacker can therefore in some cases use an environment variable with a suid program linked to Mozilla NSS or NSPR, in order to escalate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat bulletin impacts software or systems such as Debian, NSPR, NSS, openSUSE, openSUSE Leap.

Our Vigil@nce team determined that the severity of this computer threat bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this computer threat.

Solutions for this threat 

Mozilla NSS: version 3.21.1.
The version 3.21.1 is fixed:
  https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_21_1_RTM/src/

NSPR: version 4.12.
The version 4.12 is fixed:
  https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.12/src/

Debian 7: new nspr packages.
New packages are available:
  Debian 7: nspr 4.12-1+deb7u1

Debian 7: new nss packages.
New packages are available:
  Debian 7: nss 3.26-1+debu7u1

Debian 8: new nspr packages.
New packages are available:
  Debian 8: nspr 2:4.12-1+debu8u1

Debian 8: new nss packages.
New packages are available:
  Debian 8: nss 2:3.26-1+debu8u1

openSUSE: new MozillaFirefox packages.
New packages are available:
  openSUSE 13.1: MozillaFirefox 45.0-109.1, mozilla-nspr 4.12-34.1, mozilla-nss 3.21.1-74.1
  openSUSE 13.2: MozillaFirefox 45.0-65.1, mozilla-nspr 4.12-15.1, mozilla-nss 3.21.1-28.1
  openSUSE Leap 42.1: MozillaFirefox 45.0-18.1, mozilla-nspr 4.12-10.1, mozilla-nss 3.21.1-12.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.