Mozilla has patched a critical memory integrity vulnerability affecting the Network Security Services (NSS) cross-platform cryptographic library set.
NSS is a set of open source cryptographic libraries that is used to develop client and server applications with SSL v3, TLS, PKCS # 5, PKCS # 7, PKCS # 11, PKCS # 12, S / MIME, X.509 v3 certificates and other standard security.The vulnerability was discovered by Google Project Zero specialist Tavis Ormandy in NSS earlier than version 3.73 or 3.68.1 ESR. The issue was identified as CVE-2021-43527 and is related to a heap buffer overflow that occurs when DSA or RSA-PSS DER signatures are processed in email clients and PDF viewers using vulnerable versions of NSS (fixed in NSS 3.68.1 and NSS 3.73).
Ormandy says that successful exploitation of a bug can lead to both program failure and arbitrary code execution, bypassing security systems. Mozilla developers, in turn, note that the vulnerability likely affects applications that use NSS to handle signatures encoded using CMS, S / MIME, PKCS # 7 and PKCS # 12. Also, applications that use NSS for certificate validation and other TLS, X.509, OCSP, or CRL functions (depending on how they configure NSS) can have problems.
According to Mozilla, the vulnerability does not affect the Mozilla Firefox browser, but all PDF viewers and email clients that use NSS to verify signatures are affected. According to official statistics, NSS is actively used by developers of Mozilla, Red Hat, SUSE and not only, as part of the following products:
- Firefox, Thunderbird, SeaMonkey and Firefox OS;
- open source client applications including Evolution, Pidgin, Apache OpenOffice and LibreOffice;
- Red Hat server products: Red Hat Directory Server, Red Hat Certificate System, and the SSL mod_nss module for the Apache web server.
- Oracle server products, including Oracle Communications Messaging Server and Oracle Directory Server Enterprise Edition;
- SUSE Linux Enterprise Server supports NSS and the SSL mod_nss module for the Apache web server.
Let me remind you that we also talked about the fact that Mozilla Firefox developers fixed two 0-day vulnerabilities.