A security researcher from Google Project Zero discovered a critical and easily exploitable “BigSig” vulnerability in Mozilla NSS cryptographic library. Despite being easy to spot and recurrent fuzzing, the flaw escaped the attention of the security team for years.
“BigSig” Bug In NSS Cryptographic Library
Google’s Tavis Ormandy, from the Project Zero team, has shared details about the NSS library vulnerability in a recent post. As elaborated, he found the bug in Mozilla’s famous Network Security Services (NSS) library while “experimenting with alternative methods for measuring code coverage”.
According to Ormandy, Mozilla keeps fuzzing its NSS library, still, this trivial vulnerability escaped their attention. Describing it further, Ormandy stated,
The original code was checked in with ECC support on the 17th October 2003, but wasn’t exploitable until some refactoring in June 2012. In 2017, RSA-PSS support was added and made the same error.
Anyhow, as explained, the researcher’s method to find this bug involved two approaches; stack coverage and object isolation. Nonetheless, the researcher believes that this bug should have caught attention even with “rudimentary fuzzing”.
As elaborated in the bug report, the bug was basically a memory corruption flaw, which the researcher named “BigSig”.
When you verify a digital signature, NSS will create a VFYContext structure to store the necessary data. This includes things like the public key, the hash algorithm, and the signature itself…
The maximum size signature that this structure can handle is whatever the largest union member is, in this case that’s RSA at 2048 bytes. That’s 16384 bits, large enough to accommodate signatures from even the most ridiculously oversized keys.
That’s where the bug (CVE-2021-43527) appeared when the signature exceeds the size.
The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data.
The researcher explained that this bug affects multiple algorithms and is easy to reproduce. Describing further about the vulnerable versions, he wrote,
NSS since 3.14 (released October 2012) are vulnerable.
Mozilla Firefox Remains Unaffected
Following the bug report, Mozilla started working on the fix that they have now released with NSS 3.73.0.
Email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted.
Let us know your thoughts in the comments.