Tavis Ormandy, a well-known vulnerability hunter of the Google Zero Project team, recently discovered one Serious security breach In Mozilla’s encryption code.
Many software vendors rely on third-party open source encryption tools, such as Open SSL, Or just connect to the built-in encryption library of the operating system itself, such as Microsoft’s Exit (Schannel) on Windows or Apple Secure transmission On macOS and iOS.
But Mozilla has always used it Own password library, As. .And be known National Security Agency, Shortage Cyber Security Service, Instead of relying on third-party or system-level code.
Ironically, this vulnerability will be exposed when the affected application begins to test the authenticity of the digital signature provided by the sender of content such as emails, PDF documents, or web pages.
In other words, protect your behavior by checking in advance whether the user or website you are dealing with is an imposter…
…Theoretically, it may cause you to be hacked by the said user or website.
As Ormandy indicated in his bug report, it is trivial to take advantage of this bug to completely crash the application, and it is not much harder to perform what you might call a “controlled crash”, and it can usually be converted RCE, abbreviated as Remote code execution.
The official name of the vulnerability is CVE-2021-43527, But Ormandy jokingly called it Big signature, Because it involves a buffer overflow caused by submitting a digital signature signed with an encryption key that is larger than the maximum key expected by NSS programming.
Buffer overflow
When a memory area with only X bytes of space is accidentally filled with Y bytes of data, a buffer overflow will be triggered, where Y> X.
Those extra (YX) bytes of “overflow” usually end up overwriting adjacent memory blocks that have been used for other purposes, such as too many misbehaving guests at a hotel room party, and they will eventually overflow into the corridor In the middle, breaking into a neighbor’s room usually annoys oneself.
Usually, this kind of memory corruption will cause vulnerable applications to deviate and enter some unknown and unknown memory areas. The operating system has no choice but to shut it down immediately, leading to a simple crash.
But in RCE, the attackers orchestrated the crash to mislead the application into their own code.
RCE is like a rogue hotel party. He not only breaks into your room and creates riots to wake you up, but also deliberately uses your temporary confusion to steal your laptop and wallet under the guise of pretending to apologize when chasing them. go out.
The bad news is that any application that uses the NSS library may be affected by this bug, including most Mozilla applications and several other popular open source programs.
Mozilla clearly lists the following affected content:
- Thunderbird, Mozilla’s own email client.
- Free office, A free alternative to the popular Microsoft Office.
- evolution, An open source calendar application.
- show, A popular PDF and image multi-format document viewer.
Good news, if you like to think this way, this is the mistake Cannot trigger in Firefox, So Mozilla’s popular browsers are not affected.
Of course, there are many other applications that are also vulnerable-for example, we are not sure if they are still active Sea monkey The project is essentially a Firefox-like browser and a Thunderbird-like email client packaged into an application, which is risky.
what happened?
The error boils down to code that makes the notorious and often dangerous assumptions “It’s too impossible, it’s almost certain that it will never happen, so it will never happen, so there is no need to check whether it happened”.
When verifying a digital signature, NSS allocates a block of memory to store all data related to the calculation, including the encryption public key required for verification.
The space reserved for the public key is calculated by calculating the maximum possible DSA key supported by NSS, the maximum possible elliptic curve (EC) key supported by NSS, and the maximum RSA key size, and then using the largest of them to select the value to ensure The buffer is “always large enough”.
As we all know, RSA keys are much larger than the keys of other encryption algorithms (this is one of the reasons why EC encryption replaces RSA), usually reaching 2048 bits or even 4096 bits, instead of the 256 or 512 bits usually required for EC keys.
But RSA keys larger than 4096 bits are very rare, not only because they are much larger than those strictly required to withstand today’s cracking tools, but also because they are much slower to create and use smaller keys, even on high-speed computers is also like this.
We have never seen or even heard of the use of 16384-bit RSA keys in real life, because their generation speed is usually 500 to 1000 times slower than 2048-bit keys, and these keys are still considered acceptable. Those who accept it will resist the attack.
In fact, the public key buffer allocated for NSS signature verification is 16384 bits long. This size should be enough for many years to come…
… Therefore, the code that copies the incoming public key into this buffer assumes that no one will bother to generate a larger RSA key, so it won’t bother to check whether the key it just received is actually suitable.
The bug fix is to add a size check code that should always be there.
What should I do?
- Update NSS. Many Linux distributions have a central copy of the NSS library, but some installed applications may include and use their own version of the library.You can search for files
libnss3.soFind out how many NSS instances are on your computer.Windows applications that use NSS usually include their own version; searchNSS3.DLL. If you are using the extended support version, you need version 3.73 or higher, or 3.68.1 ESR. See below for suggestions on how to locate any NSS library files on your computer and how to check the version you have. - Never skimp on error checking. Just because most people will not generate huge encryption keys does not mean that no one will do it, whether they are accidental (in this case it will cause the application to crash and cause a denial of service attack) or by design (In order to deliberately hack into your computer).
Tips for finding and versioning NSS files
On Linux, you can search for a copy of the NSS library code using the following command find Order. The output of our system is shown as an example.
We have Firefox, Tor, and LibreOffice installed, so we conclude from this output that Firefox and Tor have their own copies of the NSS library, and LibreOffice relies on the copy provided in our distribution /usr/lib64:
$ find / -type f -name 'libnss3.so' 2>/dev/null /usr/lib64/libnss3.so /opt/firefox/libnss3.so /opt/tor-browser_en-US/Browser/libnss3.so
On Windows, try DIR The command shown below, from a regular command prompt window (i.e. run CMD.EXE, Not PowerShell).
We have installed Firefox and LibreOffice, both of which contain copies of their own NSS3 library files, so they need to be updated through their own download sources. Remember, Firefox is not affected by this error, but LibreOffice is affected by this.
C:Usersduck> DIR C:NSS3.DLL /S
[. . .]
Directory of c:Program FilesLibreOfficeprogram
19/11/2021 11:18 1,089,680 nss3.dll
1 File(s) 1,089,680 bytes
Directory of c:Program FilesMozilla Firefox
19/11/2021 15:31 2,186,168 nss3.dll
1 File(s) 2,186,168 bytes
Total Files Listed:
2 File(s) 3,275,848 bytes
[. . .]
Determining the internal version number of the NSS file that appears in the roaming search can be tricky, because the only reliable way is to load the library and ask it to report itself.
On Linux
The following code works for us on Linux.Save as nsschk.c, Compile gcc -o nsschk nsschk.c -ldlAnd run ./nsschk Use the NSS library file you wish to check on the command line:
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
void bail(char *msg) {
fprintf(stderr,"%sn",msg);
exit(1);
}
int main(int argc, char **argv) {
/* Use the command argument as the NSS library name, */
/* otherwise pick a sensible default for your distro. */
char *libname = argc>1 ? argv[1] : "/usr/lib64/libnss3.so";
printf("Using library file: %sn",libname);
void *nsslib = dlopen(libname,RTLD_LAZY);
if (nsslib == NULL) { bail("Can't dlopen() that file"); }
int (*initfn)(char *dir) = dlsym(nsslib,"NSS_NoDB_Init");
char *(*getvfn)(void) = dlsym(nsslib,"NSS_GetVersion");
if (initfn == NULL) { bail("Can't find NSS_NoDB_Init function"); }
if (getvfn == NULL) { bail("Can't find NSS_GetVersion function"); }
if ((*initfn)(".") != 0) { bail("Failed to initialise NSS"); }
printf("NSS Version: %sn",(*getvfn)());
return 0;
}
Our NSS file (see above) looks like this:
$ ./nsschk Using library file: /usr/lib64/libnss3.so NSS Version: 3.73 $ ./nsschk /opt/firefox/libnss3.so Using library file: /opt/firefox/libnss3.so NSS Version: 3.71 $ ./nsschk /opt/tor-browser_en-US/Browser/libnss3.so Using library file: /opt/tor-browser_en-US/Browser/libnss3.so NSS Version: 3.68
The release management version used by the vulnerable LibreOffice is the latest. Firefox and Tor may be updated by the Mozilla and Tor project respectively, but since they are obviously not affected by this error, we consider them to be safe.
On macOS
On Mac, you can use the same code, but you need to explicitly tell macOS which directory to use for NSS library files, or change the current directory to libnss3 Archive first.Also, search for both libnss3.so with libnss3.dylib, Because these two extensions are used in the macOS version.
For example, on our test Mac, we searched /Applications Folder of the NSS library:
$ find /Applications -type f -name 'libnss3.*' /Applications/Firefox.app/Contents/MacOS/libnss3.dylib /Applications/LibreOffice.app/Contents/Frameworks/libnss3.dylib /Applications/Thunderbird.app/Contents/MacOS/libnss3.dylib /Applications/TorBrowser.app/Contents/MacOS/libnss3.dylib $ DYLD_LIBRARY_PATH=/Applications/Firefox.app/Contents/MacOS ./nsschk libnss3.dylib Using library file: libnss3.dylib NSS Version: 3.71 $ DYLD_LIBRARY_PATH=/Applications/Thunderbird.app/Contents/MacOS ./nsschk libnss3.dylib Using library file: libnss3.dylib NSS Version: 3.68 $ DYLD_LIBRARY_PATH=/Applications/TorBrowser.app/Contents/MacOS ./nsschk libnss3.dylib Using library file: libnss3.dylib NSS Version: 3.53.1 $ DYLD_LIBRARY_PATH=/Applications/LibreOffice.app/Contents/Frameworks ./nsschk libnss3.dylib Using library file: libnss3.dylib NSS Version: 3.55
On windows
Some modifications produced code that worked for us on Windows. Ensure that Windows finds all additional DLLs NSS3.DLL The library needs, change the directory to NSS3.DLL Version resides and runs NSSCHK.EXE The commands in this directory.
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
void bail(char *msg) {
fprintf(stderr,"%sn",msg);
exit(1);
}
int main(int argc, char **argv) {
/* On Windows, we look for NSS3.DLL in the current */
/* directory only, to help ensure we find its friends */
char *libname = "./NSS3.DLL";
printf("Using library file: %sn",libname);
HMODULE nsslib = LoadLibrary(libname);
if (nsslib == NULL) {
fprintf(stderr,"Error: %dn",GetLastError());
bail("LoadLibrary() failed on that file");
}
int (*initfn)(char *dir) = GetProcAddress(nsslib,"NSS_NoDB_Init");
char *(*getvfn)(void) = GetProcAddress(nsslib,"NSS_GetVersion");
if (initfn == NULL) { bail("Can't find NSS_NoDB_Init() function"); }
if (getvfn == NULL) { bail("Can't find NSS_GetVersion() function"); }
if ((*initfn)(".") != 0) { bail("Failed to initialise NSS"); }
printf("NSS Version: %sn",(*getvfn)());
return 0;
}
Our results are as follows:
C:Usersduck>cd "Program FilesMozilla Firefox" C:Program FilesMozilla Firefox>UsersduckNSSCHK.EXE Using library file: ./NSS3.DLL NSS Version: 3.71 C:Program FilesMozilla Firefox>cd "Program FilesLibreOfficeprogram" C:Program FilesLibreOfficeprogram>UsersduckNSSCHK.EXE Using library file: ./NSS3.DLL NSS Version: 3.55
We infer from the above output that LibreOffice on Windows is currently vulnerable (we downloaded the latest version for this test), so please pay attention to the update notification and get the new version as soon as the patched version is available.
Go to Options > Free office > Online update Dialog box and click [Check Now] Check if a new version is available.
You can also right click NSS3.DLL File in Windows Explorer and select characteristic > detail, But the version string seems to depend on how the app package was built, so it might not show the actual NSS version number.
For example, on our Windows computer, NSS3.DLL A label with detailed information about the top Firefox version provided as part of the Firefox application; LibreOffice DLL shows the NSS-specific version string:
Right: NSS3.DLL properties in LibreOffice version.
>
