Mozilla has released a fix to address critical security weaknesses in cross-platform network security services (NSSAn encryption library that could be exploited by an attacker to crash a vulnerable application and even execute arbitrary code.
This defect, tracked as CVE-2021-43527, affects NSS versions prior to 3.73 or 3.68.1 ESR and Heap overflow Vulnerabilities in verifying digital signatures such as: DSA When RSA-PSS Algorithm encoded using DER Binary format. This issue was reported by Tabis Ormandy, codenamed Google Project Zero.BigSig.. “
“NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to heap overflow when processing DER-encoded DSA or RSA-PSS signatures.” Said In the advisory announced on Wednesday. “Applications that use NSS to process signatures encoded within CMS, S / MIME, PKCS # 7, or PKCS # 12 may be affected.”
NSS is an open source cipher designed to enable cross-platform development of client-server applications that support SSL v3, TLS, PKCS # 5, PKCS # 7, PKCS # 11, PKCS # 12, S /. A collection of PKCS computer libraries. MIME, X.509 v3 certificates, and other security standards.
The bug is the result of a lack of boundary checks that could allow the execution of arbitrary code controlled by an attacker, and is said to have been exploitable as far back as June 2012. “Ormandy Said With technical writing.
BigSig’s shortcomings do not affect Mozilla’s Firefox web browser itself, but email clients, PDF viewers, and other applications that rely on NSS for signature verification ( Red Hat, Thunderbird, LibreOffice, Evolution, and Evince are considered vulnerable.
“This is a major memory corruption flaw in NSS, affecting almost all uses of NSS,” Ormandy said. Tweet.. “For vendors that distribute NSS to their products, they may need to update or backport patches.”
A critical bug in Mozilla’s NSS crypto library can affect some other software
https://thehackernews.com/2021/12/critical-bug-in-mozillas-nss-crypto.html A critical bug in Mozilla’s NSS crypto library can affect some other software