Chiwopsezo chachikulu (CVE-2021-43527) chadziwika mu NSS (Network Security Services) ya malaibulale achinsinsi opangidwa ndi Mozilla, zomwe zitha kupangitsa kuti pakhale ma code owukira pokonza ma siginecha a digito a DSA kapena RSA-PSS omwe atchulidwa pogwiritsa ntchito Njira ya DER encoding (Malamulo Odziwika a Encoding). Nkhaniyi, yotchedwa BigSig, yathetsedwa mu NSS 3.73 ndi NSS ESR 3.68.1. Zosintha zamaphukusi pamagawidwe zilipo kwa Debian, RHEL, Ubuntu, SUSE, Arch Linux, Gentoo, FreeBSD. Palibe zosintha za Fedora pano.
Vutoli limapezeka m'mapulogalamu omwe amagwiritsa ntchito NSS kusamalira ma CMS, S/MIME, PKCS #7 ndi PKCS #12 siginecha ya digito, kapena potsimikizira masatifiketi mu TLS, X.509, OCSP ndi CRL. Chiwopsezochi chitha kuwoneka m'mapulogalamu osiyanasiyana amakasitomala ndi ma seva omwe amathandizira TLS, DTLS ndi S/MIME, makasitomala a imelo ndi owonera ma PDF omwe amagwiritsa ntchito kuyimba kwa NSS CERT_VerifyCertificate() kutsimikizira siginecha ya digito.
LibreOffice, Evolution ndi Evince amatchulidwa ngati zitsanzo za ntchito zomwe zili pachiwopsezo. Mwina, vutoli lingakhudzenso mapulojekiti monga Pidgin, Apache OpenOffice, Suricata, Curl, Chrony, Red Hat Directory Server, Red Hat Certificate System, mod_nss ya Apache http seva, Oracle Communications Messaging Server, Oracle Directory Server Enterprise Edition. Komabe, kusatetezekako sikukuwoneka mu Firefox, Thunderbird ndi Tor Browser, yomwe imagwiritsa ntchito laibulale yosiyana ya mozilla ::pkix, yophatikizidwanso mu NSS, kuti itsimikizire. Osakatuli a Chromium (pokhapokha atamangidwa mwachindunji ndi NSS), omwe adagwiritsa ntchito NSS mpaka 2015, koma atasinthidwa ku BoringSSL, nawonso samakhudzidwa ndi vutoli.
Kusatetezekaku kudabwera chifukwa cha cholakwika pamakhodi otsimikizira satifiketi mu vfy_CreateContext ntchito kuchokera pafayilo ya secvfy.c. Cholakwikacho chimachitika pomwe kasitomala akuwerenga satifiketi kuchokera pa seva komanso seva ikakonza ziphaso za kasitomala. Potsimikizira siginecha ya digito yolumikizidwa ndi DER, NSS imasankha siginechayo kukhala bafa yokhazikika ndikudutsa gawolo ku gawo la PKCS #11. Pakukonzanso kwina, kukula kwake kumawunikiridwa molakwika kwa ma signature a DSA ndi RSA-PSS, zomwe zimatsogolera pakusefukira kwa buffer yomwe idaperekedwa ku VFYContextStr ngati kukula kwa siginecha ya digito kupitilira ma bits 16384 (2048 byte yaperekedwa kwa buffer, koma sichikufufuzidwa kuti siginecha ikhoza kukhala yayikulu)).
Khodi yomwe ili ndi chiwopsezo ichi idayambika mu 2003, koma sizinawopsyeze mpaka kukonzanso komwe kunachitika mu 2012. Mu 2017, kulakwitsa komweko kudapangidwa pokhazikitsa chithandizo cha RSA-PSS. Kuti achite kuwukira, m'badwo wogwiritsa ntchito kwambiri makiyi ena sikofunikira kuti mupeze deta yofunikira, chifukwa kusefukira kumachitika pa siteji isanayambe kuyang'ana kulondola kwa siginecha ya digito. Gawo la deta lomwe limadutsa malire limalembedwa kumalo okumbukira omwe ali ndi zilolezo zogwirira ntchito, zomwe zimathandizira kupanga ntchito zogwirira ntchito.
Chiwopsezochi chinapezedwa ndi ofufuza a Google Project Zero pomwe amayesa njira zatsopano zoyesera ndipo ndi chionetsero chabwino cha momwe ziwopsezo zing'onozing'ono zingadziwike kwa nthawi yayitali pantchito yodziwika bwino yoyesedwa kwambiri:
- Khodi ya NSS imasungidwa ndi gulu lachitetezo lodziwa zambiri pogwiritsa ntchito njira zamakono zoyesera ndi kusanthula zolakwika. Pali mapologalamu angapo omwe alipo kuti apereke mphotho zazikulu pozindikira zomwe zili pachiwopsezo mu NSS.
- NSS inali imodzi mwama projekiti oyamba kulowa nawo pa Google oss-fuzz initiative ndipo idayesedwanso mu libFuzzer-based fuzz test system ya Mozilla.
- Khodi ya laibulale yakhala ikuyang'aniridwa nthawi zambiri pazowunikira zosiyanasiyana, kuphatikiza kuyang'aniridwa ndi ntchito ya Coverity kuyambira 2008.
- Mpaka 2015, NSS idagwiritsidwa ntchito mu Google Chrome ndipo idatsimikiziridwa payokha ndi gulu la Google mosadalira Mozilla (kuyambira 2015, Chrome idasinthira ku BoringSSL, koma kuthandizira padoko lochokera ku NSS kumakhalabe).
Mavuto akuluakulu omwe vutoli lidakhala losazindikirika kwa nthawi yayitali:
- Laibulale ya NSS modular ndi kuyezetsa kwa fuzzing sikunachitike kwathunthu, koma pamlingo wa zigawo zamunthu. Mwachitsanzo, kachidindo ka decoding DER ndi ziphaso zosinthira zidayang'aniridwa padera - panthawi ya fuzzing, chiphaso chikadapezeka chomwe chingatsogolere kuwonetseredwa kwachiwopsezo chomwe chikufunsidwa, koma cheke chake sichinafikire nambala yotsimikizira ndipo vuto silinafike. kudziwulula yekha.
- Pakuyesa kwakanthawi, ziletso zokhwima zidakhazikitsidwa pakukula kwake (10000 byte) pakalibe zoletsa zofananira mu NSS (zomangamanga zambiri zomwe zili munjira yabwinobwino zimatha kukhala ndi kukula kwa ma byte opitilira 10000, chifukwa chake zambiri zolowera zimafunikira kuzindikira zovuta) . Kuti mutsimikizire kwathunthu, malirewo amayenera kukhala 224-1 mabayiti (16 MB), omwe amafanana ndi kukula kwa satifiketi yololedwa mu TLS.
- Malingaliro olakwika okhudza kufalitsa ma code a fuzz. Khodi yomwe ili pachiwopsezo idayesedwa mwachangu, koma pogwiritsa ntchito ma fuzzers omwe sanathe kupanga zofunikira zolowera. Mwachitsanzo, fuzzer tls_server_target adagwiritsa ntchito ziphaso zodziwikiratu zomwe zidapangidwa kale, zomwe zidachepetsa kuwunika kwa nambala yotsimikizira satifiketi kumawu a TLS okha komanso kusintha kwa protocol.
Source: opennet.ru