ProHoster > Блог > ozi ịntanetị > Enweghị ike igbu koodu na Mozilla NSS mgbe ị na-ahazi asambodo

Enweghị ike igbu koodu na Mozilla NSS mgbe ị na-ahazi asambodo

Achọpụtala adịghị ike dị oke njọ (CVE-2021-43527) na ọbá akwụkwọ nzuzo NSS (Network Security Services) nke Mozilla mepụtara. Enweghị ike a nwere ike ibute mmejọ koodu onye na-awakpo mgbe a na-ahazi mbinye aka dijitalụ DSA ma ọ bụ RSA-PSS akọwapụtara site na iji usoro koodu DER (Distinguished Encoding Rules). Nsogbu a, nke akpọrọ BigSig, edoziri na NSS 3.73 na NSS ESR 3.68.1. Mmelite na ngwugwu nkesa dị maka Debian, RHEL, Ubuntu, SUSE, Arch Linux, Gentoo, FreeBSD. Mmelite maka Fedora adịghị ugbu a.

Nsogbu a na-apụta na ngwa ndị na-eji NSS ijikwa CMS, S/MIME, PKCS #7 na PKCS #12 mbinye aka dijitalụ, ma ọ bụ mgbe ị na-enyocha asambodo na TLS, X.509, OCSP na CRL. Ọdịmma ahụ nwere ike ịpụta na ngwa ahịa dị iche iche na ngwa nkesa na-akwado TLS, DTLS na S/MIME, ndị ahịa email na ndị na-ekiri PDF na-eji oku NSS CERT_VerifyCertificate() iji nyochaa mbinye aka dijitalụ.

Akpọrọ LibreOffice, Evolution na Evince dị ka ihe atụ nke ngwa adịghị ike. Enwere ike, nsogbu ahụ nwekwara ike imetụta ọrụ dị ka Pidgin, Apache OpenOffice, Suricata, Curl, Chrony, Red Hat Directory Server, Red Hat Certificate System, mod_nss maka sava Apache http, Oracle Communications Messaging Server, Oracle Directory Server Enterprise Edition. Agbanyeghị, adịghị ike ahụ anaghị apụta na Firefox, Thunderbird na Tor Browser, nke na-eji ọba akwụkwọ mozilla::pkix dị iche, tinyekwara na NSS, maka nkwenye. Ihe nchọgharị dabere na Chromium (ọ gwụla ma ejiri NSS rụọ ha kpọmkwem), bụ nke jiri NSS ruo 2015, ma gbanwee na BoringSSL, nsogbu ahụ anaghị emetụtakwa ya.

Nsogbu a na-akpata site na njehie dị na koodu nkwenye asambodo dị na ọrụ vfy_CreateContext sitere na faịlụ secvfy.c. Njehie ahụ na-apụta ìhè ma mgbe onye ahịa gụrụ asambodo ahụ site na sava ahụ ma n'oge nhazi ya. ihe nkesa Asambodo ndị ahịa. Mgbe a na-enyocha mbinye aka dijitalụ nke DER tinyere koodu, NSS na-agbanwe mbinye aka ahụ ka ọ bụrụ ihe nchekwa nha edobere ma na-ebufe ihe nchekwa a na modulu PKCS #11. N'oge nhazi ọzọ, a na-enyocha nha mbinye aka DSA na RSA-PSS nke ọma, na-eduga na oke ihe nchekwa ekenyere maka nhazi VFYContextStr ma ọ bụrụ na nha mbinye aka dijitalụ gafere bits 16384 (e kenyere bytes 2048 maka ihe nchekwa ahụ, mana ekwenyeghị na ikike mbinye aka maka nha buru ibu).

Enwere ike ịchọta koodu ahụ nwere adịghị ike na 2003, mana ọ naghị etinye egwu ruo mgbe emegharịrị na 2012. N'afọ 2017, e mekwara otu ihe ahụ mgbe ị na-emejuputa nkwado RSA-PSS. Iji mee mwakpo, ọgbọ na-akpa ike nke ụfọdụ igodo adịghị achọ iji nweta data dị mkpa, ebe ọ bụ na njupụta na-eme na ọkwa tupu ịlele izi ezi nke mbinye aka dijitalụ. A na-ede akụkụ nke data nke na-agafe ókèala ahụ na ebe nchekwa nke nwere ihe nrịbama maka ọrụ, nke na-eme ka mmepụta nke arụ ọrụ dị mfe.

Ndị nchọpụta sitere na Google Project Zero chọpụtara adịghị ike ahụ mgbe ha na-anwale ụzọ nnwale ọhụrụ na-agbagwoju anya ma bụrụ ezigbo ngosipụta nke etu adịghị ike na-enweghị isi nwere ike isi na-ahụtaghị ogologo oge n'ime ọrụ ama ama ama ama ama ama.

  • Ndị otu nchekwa nwere ahụmahụ na-edobe koodu NSS site na iji usoro nyocha na nyocha njehie ọgbara ọhụrụ. Enwere ọtụtụ mmemme iji kwụọ ụgwọ ọrụ dị ukwuu maka ịchọpụta adịghị ike na NSS.
  • NSS bụ otu n'ime ọrụ izizi isonye na atụmatụ oss-fuzz nke Google ma nwalekwara ya na sistemụ nnwale fuzz dabere na Mozilla libFuzzer.
  • A enyochala koodu ọba akwụkwọ ọtụtụ oge n'ime ndị nyocha dị iche iche, gụnyere ọrụ mkpuchi na-enyocha ya kemgbe 2008.
  • Ruo n'afọ 2015, ejiri NSS mee ihe na Google Chrome ma ndị otu Google kwadoro onwe ha na Mozilla (kamgbe 2015, Chrome gbanwere na BoringSSL, mana nkwado maka ọdụ ụgbọ mmiri dabeere na NSS ka dị).

Nsogbu ndị bụ isi n'ihi nke a na-achọpụtaghị nsogbu ahụ ogologo oge:

  • Emere ọbá akwụkwọ modular NSS na ule fuzzing abụghị n'ozuzu ya, kama n'ogo nke ihe mejupụtara ya. Dịka ọmụmaatụ, a na-enyocha koodu maka decoding DER na asambodo nhazi iche iche - n'oge mgbagwoju anya, enwere ike ịnweta akwụkwọ nke ga-eduga n'igosipụta nke adịghị ike na ajụjụ, mana nlele ya eruteghị koodu nkwenye na nsogbu ahụ emeghị. ikpughe onwe ya.
  • N'oge ule fuzzing, etinyere mmachi siri ike na nha mmepụta (10000 bytes) na enweghị mgbochi ndị yiri ya na NSS (ọtụtụ ụlọ na ọnọdụ nkịtị nwere ike ịnwe nha karịa 10000 bytes, yabụ achọrọ data ntinye karịa iji chọpụta nsogbu) . Maka nkwenye zuru oke, oke kwesịrị ịbụ 224-1 bytes (16 MB), nke dabara na ogo asambodo kacha ekwe na TLS.
  • Echiche na-ezighi ezi gbasara mkpuchi koodu nyocha fuzz. A nwalere koodu adịghị ike nke ọma, mana iji fuzzers na-enweghị ike iwepụta data ntinye dị mkpa. Dịka ọmụmaatụ, fuzzer tls_server_target jiri usoro asambodo emebere akọwapụtagoro, nke kpachiri nlele koodu nkwenye akwụkwọ naanị na ozi TLS yana mgbanwe steeti protocol.

isi: opennet.ru

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster