According to Ormandy, the vulnerability tracked as CVE-2021-43527 and categorized as Critical involves several email clients and PDF viewers with flawed NSS versions of DER-encoded DSA or RSA-PSS signatures. can cause a heap-based buffer overflow when validating. BleepingComputer reported on the development, NSS has been used to develop several security-aware client and server apps, including SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X supports .509 v3 certificates and various other security standards.
Cybersecurity researchers at Google helped fix a critical memory corruption vulnerability affecting Mozilla’s cross-platform Network Security Services (NSS) cryptographic library suite. “We have discovered a critical vulnerability in Network Security Services (NSS). NSS is the Mozilla project’s cross-platform cryptography library. In 2021 every good bug needs a catchy name, so this is called “BigSig,” writes Tavis Ormandy of Google Project Zero.
In a statement, Ormandy added that the bug likely affected all versions of NSS since 3.14, which was released in October 2012, almost a decade ago. Exploitation of this bug could crash the application or even allow an attacker to execute arbitrary code. Mozilla has fixed bugs in NSS 3.68.1 and NSS 3.73 and clarified in the advisory that they do not affect Firefox, Mozilla’s popular web browser. Instead, any open-source app that uses NSS to verify signatures (Thunderbird, LibreOffice, email client Evolution, PDF reader Evince, etc.) is believed to be potentially vulnerable.