On 1^st December 2021, Mozilla release a Security Advisor addressing the Critical vulnerability affecting its cross-platform Network Security Services (NSS) cryptography libraries.

“Network Security Services (NSS) is Mozilla’s widely used, cross-platform cryptography library. When you verify an ASN.1 encoded digital signature, NSS will create a VFYContext structure to store the necessary data. This includes things like the public key, the hash algorithm, and the signature itself.” Said Ormandy the researcher in Project Zero who discovered the vulnerability.

NSS is used to security-enabled client and server applications to support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

This impact NSS version before 3.73 or 3.68.1 ESR and is tracked as  CVE-2021-43527.

“NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. “

“Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.” Said Mozilla in the advisor

This vulnerability can lead to heap-based buffer overflow when handling DER-encoded DSA or RSA-PSS signatures in email clients and PDF viewers using vulnerable NSS version. If successfully can result in arbitrary code execution and Program crashes which will allow to bypass the security software.

The vulnerability doesn’t impact Mozilla Firefox but PDF viewrs, email clients using NSS for signature verification are believed to be vulnerable.

“If you are a vendor that distributes NSS in your products, you will most likely need to update or backport the patch,” Ormandy said.

NSS Library is used by the following products,

• Mozilla products including Firefox, Thunderbird, SeaMonkey, and Firefox OS.
• AOL Instant Messenger (AIM)
• Open-source client applications such as Evolution, Pidgin, Apache OpenOffice, and LibreOffice.
• Server products from Red Hat: Red Hat Directory Server, Red Hat Certificate System, and the mod_nss SSL module for the Apache webserver.
• Server products from Oracle (formerly Sun Java Enterprise System), including Oracle Communications Messaging Server and Oracle Directory Server Enterprise Edition.
• SUSE Linux Enterprise Server supports NSS and the mod_nss SSL module for the Apache webserver.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
• https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html