The Mozilla Foundation has patched a Critical memory corruption vulnerability in network security services (NSS).
An attacker could exploit this vulnerability to take control of impacted systems.
As part of Mozilla Foundation Security Advisory 2021-51, the NSS update addressed a memory corruption vulnerability via DER-encoded DSA and RSA-PSS signatures (CVE-2021-43527).
NSS is a set of crypto libraries designed to support cross-platform development of security-enabled client and server applications.
“Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS,” Mozilla noted in the advisory.
Moreover, NSS versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures.
Although the issue does not affect Mozilla Firefox versions, Mozilla said email clients and PDF viewers that use NSS for signature verification (e.g., Thunderbird, LibreOffice, Evolution and Evince) are likely affected.
The vulnerability was discovered by Tavis Ormandy of Google Project Zero and is rated Critical severity.
- Mozilla releases Firefox 94 with fixes for 7 High severity vulnerabilities
- NSA: New guidance to eliminate obsolete TLS protocols
- NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
- Kr00k: Wi-Fi encryption vulnerability impacts billion+ devices