Vulnerability in verification of certificate signatures in the NSS library
Sometimes it happens that vulnerabilities flow one after another. While everyone is discussing ShellShock, Mozilla and Google are updating their Firefox and Chrome browsers to close a fairly serious vulnerability that could, under certain circumstances, lead to a fake SSL certificate signature.
The Network Security Services (NSS) library, which is used for cryptography in Firefox and Chrome browsers, incorrectly handled padding in signatures of the PKCS # 1 v1.5 standard due to a vulnerability in ASN.1 coding DigestInfo.
The vulnerability of the implementation lies in the fact that DigestInfo was processed as if it was encoded in BER, which made it possible to encode the same ASN.1 object in different ways. The parser did not take into account some bytes in the certificate verification procedure, which allowed forging certificates if a small public exhibitor was used during its creation (for example, 3).
Users of Mozilla products should upgrade to the following versions:
Google Chrome users probably need to upgrade to the latest version (released on September 24).
')
More on vulnerability
The Network Security Services (NSS) library, which is used for cryptography in Firefox and Chrome browsers, incorrectly handled padding in signatures of the PKCS # 1 v1.5 standard due to a vulnerability in ASN.1 coding DigestInfo.
The vulnerability of the implementation lies in the fact that DigestInfo was processed as if it was encoded in BER, which made it possible to encode the same ASN.1 object in different ways. The parser did not take into account some bytes in the certificate verification procedure, which allowed forging certificates if a small public exhibitor was used during its creation (for example, 3).
Users of Mozilla products should upgrade to the following versions:
- Firefox 32.0.3
- Firefox ESR 24.8.1
- Firefox ESR 31.1.1
- Thunderbird 31.1.2
- Thunderbird 24.8.1
- SeaMonkey 2.29.1
- NSS 3.16.2.1
- NSS 3.16.5
- NSS 3.17.1
Google Chrome users probably need to upgrade to the latest version (released on September 24).
')
More on vulnerability
Source: https://habr.com/ru/post/238185/
All Articles