Under certain conditions, verifications of signatures by Mozilla’s Network Security Services (NSS) crypto library could lead to errors. If attacks are successful, malicious code could reach computers. Versions that are protected against such attacks are available.
NSS is supposed to ensure the secure communication between client and server. The program library is used, for example, in the Thunderbird email client, LibreOffice and various PDF viewers. According to a warning from Mozilla if the in-house web browser Firefox is not different from the “critical“Classified vulnerability (CVE-2021-43527).
According to Mozilla, the processing of DSA or RSA-PSS signatures encrypted with DER triggers a memory error (heap overflow). Errors can also occur when processing and validating CMS, CRL, OCSP, PKCS # 7, PKCS # 12, S / MIME and X.509, depending on the configuration.
The developers assure the vulnerability in the versions NSS 3.68.1 and 3.73 to have closed. All previous editions are said to be vulnerable. Now all developers who use NSS have to update their applications so that users can install secured versions.
Google’s flagship security researcher Tavis Ormandy discovered the loophole. In a contribution he explains the problems. He christened the gap BigSig. According to him, just receiving a mail signed with S / MIME could initiate an attack.