How Mozilla Fixes Critical Flaw in Cross-Platform Crypto Library?

How Mozilla Fixes Critical Flaw in Cross-Platform Crypto Library?

Mozilla recently addressed a critical memory corruption vulnerability impacting its cross-platform Network Security Services (NSS) set of cryptography libraries. NSS can be utilized to develop security-enabled client and server applications with support for SSL v3, TLS, PKCS #7, PKCS #11, PKCS #12, S/MIE, X.509 v3 certificates, and many more other security standards.

The security bug was discovered by Google vulnerability researcher Tavis Ormandy is NSS version before 3.73 or 3.68.1 ESR – who also dubbed it BigSig – and is now tracked as CVE-2021-43527. It can result in a heap-based buffer overflow when handling DER-encoded DSA or RSA-PSS signatures in email clients and PDF viewers utilizing vulnerable NSS versions (the flaw has been fixed in NSS 3.68.1 and NSS 3.73).

The impact of successful heap overflow explanation can rely on program crashes and arbitrary code execution to bypass security software if code execution is achieved.

How-Mozilla-Fixes-Critical-Flaw-in-Cross-Platform-Crypto-Library-image1

The version Released In October 2021 Vulnerable

“Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted,” Mozilla said in a security advisory issued today. “Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.”

“We believe all versions of NSS since 3.14 (released October 2012) are vulnerable,” Ormandy added on the Project Zero issue tracker. “Mozilla plan to produce a thorough list of affected APIs – but the summary is any standard use of NSS is affected. The bug is simple to reproduce and affects multiple algorithms.”

Luckily, according to Mozilla, this vulnerability doesn’t impact the Mozilla Firefox web browser. However, all PDF viewers and email clients which use NSS for signature verification are believed to be impacted.

Where NSS is utilized in Mozilla?

  • Firefox, Thunderbird, SeaMonkey, and Firefox OS.
  • Open-source client applications such as Evolution, Pidgin, Apache OpenOffice, and LibreOffice.
  • Server products from Red Hat: Red Hat Directory Server, Red Hat Certificate System, and the mod_nss SSL module for the Apache webserver.
  • Server products from Oracle (formerly Sun Java Enterprise System), including Oracle Communications Messaging Server and Oracle Directory Server Enterprise Edition.
  • SUSE Linux Enterprise Server supports NSS and the mod_nss SSL module for the Apache webserver.

If one is a vendor that distributes NSS in the products, you will most likely need to update or backport the patch.

Leave a Reply