Financial institutions will likely be the target of choice for remote, unauthenticated attackers exploiting a vulnerability in the Network Security Services (NSS) library suite, a shared component in the widely deployed commercial Web server platforms Netscape Enterprise Server, Sun ONE and iPlanet, according to an Internet Security Systems advisory.
"The NSS library suite is predominately used by financial institutions that employ Web services to secure transactions," warned ISS. "A remote, unauthenticated attacker may trigger a buffer-overflow condition and execute arbitrary code if the SSL version 2 protocol is enabled on vulnerable servers. This has the potential to result in complete compromise of the target server, and exposure of any information held therein. In addition, SSL is often used to secure sensitive or valuable communications, making this a high-value target for attackers."
All versions of the NSS library suite are vulnerable. This includes all versions of the Netscape Enterprise Server (NES), Netscape Personalization Engine (NPE), Netscape Directory Server (NDS), Netscape Certificate Management Server (CMS), Sun ONE and iPlanet. Any application or product that integrates the NSS library suite and implements SSL version 2 ciphers is also vulnerable.
"The bottom line is that this vulnerability will not be a serious issue for most of the Web server population," said Aaron Schaub, a security analyst at a public utility company. "However, it has the potential to be gravely serious for those that are affected."
Michael Sutton, director of Reston, Va.-based iDefense Labs said the number of those affected will likely be limited. "While this is a significant vulnerability in the affected platforms, the overall impact is lessened by the fact that neither Netscape Enterprise Server nor Sun ONE has significant market share at this point. The latest Netcraft survey shows Sun having 3.14% market share while Netscape no longer shows up on its public results."
ISS said it believes it to be a common practice to enable this protocol and that a significant percentage of the install base is likely affected. "Successful exploitation of this vulnerability will grant an attacker the privilege level at which the Web server was executing," said the ISS advisory. "On Windows platforms, this will likely be full system privileges, while on other platforms this may be restricted to a non-root account."
Neither Netscape nor Sun was available for comment as of press time. However, Dave Kennedy, director of research services at TruSecure Corp. in Reston, Va. said, "It's a challenge for administrators of Netscape servers to learn about security issues since the transfer of the servers' development and maintenance to Sun. Sun's priority is, justifiably, on maintenance and development of its own products."