Security News > 2021 > December > Critical Bug in Mozilla’s NSS Crypto Library Potentially Affects Several Other Software

Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code.

Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format.

"NSS versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures," Mozilla said in an advisory published Wednesday.

"Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted."

NSS is a collection of open-source cryptographic computer libraries designed to enable cross-platform development of client-server applications, with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

While the BigSig shortcoming doesn't affect Mozilla's Firefox web browser itself, email clients, PDF viewers, and other applications that rely on NSS for signature verification, such as Red Hat, Thunderbird, LibreOffice, Evolution, and Evince, are believed to be vulnerable.

News URL

https://thehackernews.com/2021/12/critical-bug-in-mozillas-nss-crypto.html