Security News > 2021 > December > Critical Bug in Mozilla’s NSS Crypto Library Potentially Affects Several Other Software
Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code.
Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format.
"NSS versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures," Mozilla said in an advisory published Wednesday.
"Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted."
NSS is a collection of open-source cryptographic computer libraries designed to enable cross-platform development of client-server applications, with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
While the BigSig shortcoming doesn't affect Mozilla's Firefox web browser itself, email clients, PDF viewers, and other applications that rely on NSS for signature verification, such as Red Hat, Thunderbird, LibreOffice, Evolution, and Evince, are believed to be vulnerable.
News URL
https://thehackernews.com/2021/12/critical-bug-in-mozillas-nss-crypto.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-08 | CVE-2021-43527 | Out-of-bounds Write vulnerability in multiple products NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. | 9.8 |