Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services (NSS) cryptographic library that could be potentially exploited by an adversary lớn crash a vulnerable application and even execute arbitrary code.

Bạn đang xem: Phần mềm nss download, network security services (nss)

Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, và concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format. Credited with reporting the issue is Tavis Ormandy of Google Project Zero, who codenamed it "BigSig."


"NSS (Network Security Services) versions prior to lớn 3.73 or 3.68.1 ESR are vulnerable khổng lồ a heap overflow when handling DER-encoded DSA or RSA-PSS signatures," Mozilla said in an advisory published Wednesday. "Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to lớn be impacted."

NSS is a collection of open-source cryptographic computer libraries designed to enable cross-platform development of client-server applications, with tư vấn for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, & other security standards.


The bug, the consequence of a missing bounds kiểm tra that could allow the execution of arbitrary attacker-controlled code, is said to have been exploitable dating all the way back lớn June 2012, "The striking thing about this vulnerability is just how simple it is," Ormandy said in a technical write-up. "This issue demonstrates that even extremely well-maintained C/C++ can have fatal, trivial mistakes."


While the BigSig shortcoming doesn"t affect Mozilla"s Firefox website browser itself, e-mail clients, PDF viewers, và other applications that rely on NSS for signature verification, such as Red Hat, Thunderbird, LibreOffice, Evolution, & Evince, are believed khổng lồ be vulnerable.

Xem thêm: Tuổi Mùi Hợp Cây Gì - Cây Phong Thủy Tuổi Mùi

"This is a major memory corruption flaw in NSS, almost any use of NSS is affected," Ormandy tweeted. "If you are a vendor that distributes NSS in your products, you will most likely need to update or backport the patch."

Found this article interesting? Follow THN on Facebook, Twitter  và LinkedIn to read more exclusive content we post.
Share on FacebookShare on TwitterShare on LinkedinShare on RedditShare on hacker NewsShare on EmailShare on WhatsApp

Learn more about how security-aware developers represent a vast and largely untapped resource that can support cyber defenses.
Complete exam preparation training for Ethical Hacking, Penetration Testing, CISSP, CCSP, CISM, CISA, and CompTia exams.