A Vulnerability in Mozilla NSS (Network Security Services) Could Allow for Arbitrary Code Execution

DESCRIPTION:
A vulnerability has been discovered in Mozilla’s Network Security
Services (NSS), a set of cryptography libraries used to handle
signatures and certification validation. Successful exploitation of this
the vulnerability could allow for arbitrary code execution within the
context of the affected application, which could be either a client like
Thunderbird or server like Apache webserver. Depending on the privileges
associated with this application, an attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. If this application has been configured to have fewer user
rights on the system, exploitation of this vulnerability could have less
impact than if it was configured with administrative rights.

IMPACT:
A vulnerability has been discovered in Mozilla’s Network Security
Services (NSS), a set of cryptography libraries used to handle
signatures and certification validation. Successful exploitation of this
the vulnerability could allow for arbitrary code execution within the
context of the affected application, which could be either a client like
Thunderbird (connection with attacker TLS server) or server like Apache
webserver (processing client certificate).

Per Mozilla:
Applications using NSS for handling signatures encoded within CMS,
S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications
using NSS for certificate validation or other TLS, X.509, OCSP or CRL
functionality may be impacted, depending on how they configure NSS.

Successful exploitation of this vulnerability could allow for arbitrary
code execution within the context of the affected application, which
could be either a client like Thunderbird or a server like Apache
webserver. Depending on the privileges associated with this application,
an attacker could then install programs; view, change or delete data;
or create new accounts with full user rights. If this application has
been configured to have fewer user rights on the system, exploitation of
this vulnerability could have less impact than if it was configured with
administrative rights.

SYSTEM AFFECTED:
* NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR

RECOMMENDATIONS:
We recommend the following actions be taken:
* If applications used within the organization are known to use SSL/TLS,
verify if Mozilla NSS is being used.
* Apply the latest patches provided by respective vendors after
appropriate testing.
* Run all software as a non-privileged user (one without administrative
privileges) to diminish the effects of a successful attack.
* Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html
https://www.bleepingcomputer.com/news/security/mozilla-fixes-critical-bug-in-cross-platform-cryptography-library/
https://access.redhat.com/security/cve/CVE-2021-43527

Published: 22 December 2021, 11:59:09 BST

Share