Recently, Mozilla issued a risk notice for Mozilla Network Security Services (NSS) buffer heap overflow. A remote code execution flaw was found in the way NSS verifies certificates. This flaw allows an attacker posing as an SSL/TLS server to trigger a heap overflow vulnerability in a client application compiled with NSS when it attempts to initiate an SSL/TLS connection. Similarly, when a server application compiled with NSS processes client certificates, a heap overflow vulnerability can also be triggered.
Detected vulnerability
Vulnerability ID: CVE-2021-43527
Vulnerability severity: high
Affected versions: NSS versions earlier than 3.73 or 3.68.1 ESR
Details
NSS is a set of libraries that support cross-platform development of security client and server applications. It provides optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side.
NSS versions earlier than 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when NSS handles DER-encoded DSA or RSA-PSS signatures. Affected items:
Applications that use NSS to handle signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 may be impacted.
Applications that use NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted.
You can run the curl -V command to view information about the default NSS version in the operating system.
Security suggestions
Run the curl -V command to check whether the NSS version is earlier than 3.73 or 3.68.1 ESR. If the NSS version is earlier than 3.73 or 3.68.1 ESR, upgrade NSS to a secure version as soon as possible. Run the following command to fix the vulnerability:
yum clean all && yum install -y nssReferences
CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Announcing party
Alibaba Cloud Computing Co., Ltd.