Mozilla released patches for vulnerabilities in its cross-platform Network Security Services (NSS) cryptographic library. The vulnerability can be exploited for crashing an application or executing arbitrary code remotely.
The vulnerability labelled CVE-2021-43527 plagues earlier NSS versions before 3.73 ESR. the vulnerability is a heap overflow when scanning digital signatures such as DSA and RS-PSS algorithms encrypted in the DER format. Tavis Ormandy of Google Project Zero identified the vulnerability.
“NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures,” Mozilla said in an advisory published Wednesday. “Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted.”
The bug, the consequence of missing bounds check that could allow the execution of arbitrary attacker-controlled code, is said to have been exploitable dating all the way back to June 2012, “The striking thing about this vulnerability is just how simple it is,” Ormandy said in a technical write-up.
Although Mozilla’s Firefox web browser, email client, PDF viewers are safe from vulnerability, other applications that use NSS for signature verification such as Red Hat, Thunderbird, LibreOffice, Evolution and Evince, are affected by the vulnerability.
This is a major memory corruption flaw in NSS, almost any use of NSS is affected,” Ormandy tweeted. “If you are a vendor that distributes NSS in your products, you will most likely need to update or backport the patch.”