Network Security Services vulnerability fixed in Mozilla

Mozilla has released fixes to fix a critical vulnerability in Network Security Services (NSS) that could potentially be used to cause an application crash and execute arbitrary code. The error was discovered by Tavis Ormandy from Google Project Zero and was named BigSig.

NSS is a set of open-source cryptographic computer libraries designed for cross-platform development of client-server applications with support for SSL v3, TLS, PKCS5, PKCS7, PKCS11, PKCS12, X.509 v3, and other security standards. NSS is used by many companies, including AOL, Red Hat, and Google.

CVE-2021-43527 affects current versions of NSS up to 3.73 or 3.68.1 ESR and consists of a heap-based buffer overflow when verifying DSA and RSA-PSS digital signatures that are encoded using the binary DER format.

BigSig does not affect Mozilla Firefox itself, but mail clients, PDF file viewers, users of cryptocurrency anonymization tools such as bitcoin tumbler services and other applications based on NSS for signature verification, such as Red Hat, Thunderbird, LibreOffice, Evolution, and Evince can be considered vulnerable.

The vulnerability itself, according to experts, is unique in its simplicity and age (since version 3.14, released in October 2012).