Mozilla patches critical vulnerability in Network Security Services (NSS)

by Emma Davis
December 2, 2021
Mozilla NSS vulnerability
Written by Emma Davis

Mozilla has patched a critical memory integrity vulnerability affecting the Network Security Services (NSS) cross-platform cryptographic library set.

NSS is a set of open source cryptographic libraries that is used to develop client and server applications with SSL v3, TLS, PKCS # 5, PKCS # 7, PKCS # 11, PKCS # 12, S / MIME, X.509 v3 certificates and other standard security.

Tavis Ormandy

Tavis Ormandy

The vulnerability was discovered by Google Project Zero specialist Tavis Ormandy in NSS earlier than version 3.73 or 3.68.1 ESR. The issue was identified as CVE-2021-43527 and is related to a heap buffer overflow that occurs when DSA or RSA-PSS DER signatures are processed in email clients and PDF viewers using vulnerable versions of NSS (fixed in NSS 3.68.1 and NSS 3.73).

Ormandy says that successful exploitation of a bug can lead to both program failure and arbitrary code execution, bypassing security systems. Mozilla developers, in turn, note that the vulnerability likely affects applications that use NSS to handle signatures encoded using CMS, S / MIME, PKCS # 7 and PKCS # 12. Also, applications that use NSS for certificate validation and other TLS, X.509, OCSP, or CRL functions (depending on how they configure NSS) can have problems.

We believe that all versions of NSS since version 3.14 (released in October 2012) are vulnerable. Mozilla plans to compile a detailed list of vulnerable APIs, but essentially all standard NSS uses are affected.Ormandy warns.

According to Mozilla, the vulnerability does not affect the Mozilla Firefox browser, but all PDF viewers and email clients that use NSS to verify signatures are affected. According to official statistics, NSS is actively used by developers of Mozilla, Red Hat, SUSE and not only, as part of the following products:

  1. Firefox, Thunderbird, SeaMonkey and Firefox OS;
  2. open source client applications including Evolution, Pidgin, Apache OpenOffice and LibreOffice;
  3. Red Hat server products: Red Hat Directory Server, Red Hat Certificate System, and the SSL mod_nss module for the Apache web server.
  4. Oracle server products, including Oracle Communications Messaging Server and Oracle Directory Server Enterprise Edition;
  5. SUSE Linux Enterprise Server supports NSS and the SSL mod_nss module for the Apache web server.

Let me remind you that we also talked about the fact that Mozilla Firefox developers fixed two 0-day vulnerabilities.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending