Mozilla properly fuzzed NSS and still ended up with a simple memory corruption hole

0
173

Chris Duckett

By

Chris Duckett

| December 2, 2021

| Topic: Security

Mozilla logo

When it comes to fuzzing, Mozilla has plenty of cred, and has been doing so for some time, and yet, its prized Network Security Services (NSS) library was busted by Google Project Zero’s Tavis Ormandy quite easily.

In a blog post well worth your time, entitled This shouldn’t have happened, Ormandy found that if NSS was made to create an ASN.1 signature bigger than the maximum 16384 bits it expected, overwriting of memory would occur.

“What happens if you just … make a signature that’s bigger than that? Well, it turns out the answer is memory corruption. Yes, really,” Ormandy wrote.

“The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data. The bug is simple to reproduce and affects multiple algorithms.”

Given the designation CVE-2021-43527, Mozilla said in its advisory that Firefox was not impacted, but the likes of Thunderbird, LibreOffice, Evolution, and Evince were “believed to be impacted”.

In Mozilla’s defence, Ormandy said it has a world-class security team, and has been leading the way in fuzzing, but thanks to the modular design of NSS, the library did not have end-to-end testing as each part was fuzzed independently. This was compounded by the fuzzers having a limit of 10,000 bytes on input while NSS has no such limit.

“This issue demonstrates that even extremely well-maintained C/C++ can have fatal, trivial mistakes,” Ormandy wrote.

The hole has been patched in versions 3.73.0 and 3.68.1 of NSS.

Related Coverage

Apache HTTP Server Project patches exploited zero-day vulnerabilityGoogle fixes two high-severity zero-day flaws in ChromeSecurity company faces backlash for waiting 12 months to disclose Palo Alto 0-dayMozilla Firefox joins browsers implementing Global Privacy ControlMozilla Firefox cracks down on malicious add-ons used by 455,000 usersBad Santa: Amazon, Facebook top Mozilla’s naughty list of privacy-crushing gifts

Developer

|
Security TV

|
Data Management

|
CXO

|
Data Centers