Recently, Mozilla issued a security advisory regarding a buffer heap overflow in Network Security Services (NSS). This remote code execution vulnerability stems from how NSS validates certificates. An attacker can impersonate a TLS/SSL server to trigger a heap overflow in client applications compiled with NSS. A heap overflow can also be triggered in server applications compiled with NSS when processing client certificates.
Vulnerability details
Vulnerability ID: CVE-2021-43527
Vulnerability severity: High
Affected versions: NSS versions earlier than 3.73 or 3.68.1 ESR
Description
NSS (Network Security Services) is a set of libraries that support cross-platform development of secure client and server applications. It provides optional support for server-side hardware TLS/SSL acceleration and client-side smart cards.
NSS versions earlier than 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when processing DER-encoded DSA or RSA-PSS signatures. The following may be affected:
Applications that use NSS to process signatures encoded in CMS, S/MIME, PKCS #7, or PKCS #12.
Applications that use NSS for certificate validation or other TLS, X.509, OCSP, or CRL functions.
You can run the curl -V command to check the default NSS version on your system.
Remediation
Check if your NSS version is earlier than 3.73 or 3.68.1 ESR by running the curl -V command. If it is, upgrade NSS to a secure version immediately. To apply the fix, run the following command:
yum clean all && yum install -y nssReferences
CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Announcing party
Alibaba Cloud Computing Co., Ltd.