Mozilla has recently fixed a critical memory corruption vulnerability using their vulnerability manager. This was affecting its cross-platform Network Security Services (NSS) set of cryptographic libraries. Companies like AOL, Red Hat, and Google, as well as other organizations, use Network Security Services (NSS) as an open-source implementation of crypto libraries to support the development of security-enabled client and server applications across multiple platforms. All of these were Critical Vulnerabilities In Cryptographic Libraries. A good Vulnerability Management Tool can prevent these attacks.
NSS applications support network security standards like SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, and X.509 v3 certificates. Vulnerability Management System can resolve these issues.
Google’s Project Zero member, Tavis Ormandy, discovered and reported the flaw, naming it BigSig. The vulnerability is granting the CVE identifier CVE-2021-43527.
This is a major memory corruption flaw in NSS, almost any use of NSS is affected. The Mozilla advisory is here https://t.co/AL8suyLQFF https://t.co/uTQ2gqRZ5t
— Tavis Ormandy (@taviso) December 1, 2021
The critical vulnerability exists in the way NSS handles DER-encoded DSA or RSA-PSS signatures, leading to a heap overflow vulnerability. When a DSA or RSA-PSS digital signature encoded using the DER binary format is verified, no bounds are checked done on the length of the signature. “sig and key are arbitrary-length, attacker-controlled blobs,” as said by Ormandy. “The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data.”
Below is the Critical vulnerability part of the code for RSA-PSS:
case rsaPssKey:
sigLen = SECKEY_SignatureLen(key);
if (sigLen == 0) {
/* error set by SECKEY_SignatureLen */
rv = SECFailure;
break;
}
if (sig->len != sigLen) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
break;
}
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
break;Proof-of-Concept
The steps to reproduce as given by Ormandy are:
We need 16384 bits to fill the buffer, then 32 + 64 + 64 + 64 bits to overflow to hashobj.
$ openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:$((16384 + 32 + 64 + 64 + 64)) -pkeyopt rsa_keygen_primes:5 -out bigsig.key
Generate a self-signed certificate from that key
$ openssl req -x509 -new -key bigsig.key -subj "/CN=BigSig" -sha256 -out bigsig.cer
Verify it with NSS
$ vfychain -a bigsig.cer
Segmentation fault
Tavis has also published a detailed write-up of the vulnerability, available here.
Affected Versions by Critical Vulnerability In Cryptographic Libraries
- NSS versions before 3.73
- NSS ESR versions before 3.68.1
Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.
Mozilla also added a note stating that the critical vulnerability In cryptographic libraries does not impact Mozilla Firefox. This impacts Email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution, and Evince.
Solution
Mozilla has patched this critical vulnerability in NSS 3.73.0.The advisory recommends that vendors distributing NSS in their products update or backport the patch.
SanerNow VM and SanerNow PM detect this vulnerability and automatically fix them by applying security updates. Use SanerNow and keep your systems updated and secure.