CVE-2014-1491

1. Create a TLS server supporting only the DHE key exchange.
2. During any handshake, send the parameters <p, g, g^q> where p=2q+1 is a prime such that q is also prime and g is not a quadratic residue mod p
3. NSS accepts this value and proceeds with the handshake. The PMS computed by NSS is g^(q*Kc)


Actual results:

NSS accepts to proceed with the exchange. If g is not a quadratic residue mod p, then g^q = p-1 which is not rejected by NSS as it accepts any public value in [2, p-1] (this is allowed by rfc2631). Then, the computed PMS g^(q*Kc) is 1 if Kc is even (because g^(2q)=g^(p-1)=1 [mod p]) and p-1 if Kc is odd (because g^q=p-1 [mod p]). If the server chose a Ks with the same parity, the PMS will be the same on the client and server but the communication is not safe because an attacker can derive it from the parameters sent over the network.



References:

http://www.mozilla.org/security/announce/2014/mfsa2014-12.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1491
https://bugzilla.redhat.com/show_bug.cgi?id=1060955