Kusagadzikana kwakadzama (CVE-2021-43527) kwakaonekwa muNSS (Network Security Services) seti yekriptographic library yakagadziriswa neMozilla, iyo inogona kutungamira mukuitwa kweanorwisa kodhi kana uchigadzira DSA kana RSA-PSS siginecha yedhijitari inotsanangurwa uchishandisa iyo DER encoding nzira ( Distinguished Encoding Rules). Nyaya yacho, yakanzi BigSig, inogadziriswa muNSS 3.73 uye NSS ESR 3.68.1. Mapakeji ekugadzirisa mukugovera anowanikwa kuDebian, RHEL, Ubuntu, SUSE, Arch Linux, Gentoo, FreeBSD. Iko hakuna zvigadziriso zviripo zveFedora parizvino.
Dambudziko rinoitika mumapurogiramu anoshandisa NSS kubata CMS, S/MIME, PKCS #7 uye PKCS #12 siginicha yedhijitari, kana pakusimbisa zvitupa muTLS, X.509, OCSP neCRL mashandisirwo. Kusagadzikana kunogona kuoneka muakasiyana-siyana mutengi uye server maapplication anotsigira TLS, DTLS uye S/MIME, email vatengi uye maPDF vanoona vanoshandisa iyo NSS CERT_VerifyCertificate() kufona kuti vaone siginicha yedhijitari.
LibreOffice, Evolution uye Evince inotaurwa semienzaniso yezvishandiso zvisina njodzi. Zvichida, dambudziko rinogona kukanganisa mapurojekiti akadai sePidgin, Apache OpenOffice, Suricata, Curl, Chrony, Red Hat Directory Server, Red Hat Certificate System, mod_nss yeApache http server, Oracle Communications Messaging Server, Oracle Directory Server Enterprise Edition. Zvakadaro, kusazvibata hakuoneki muFirefox, Thunderbird neTor Browser, inoshandisa imwe mozilla ::pkix raibhurari, inosanganisirwawo muNSS, kuti ionekwe. Chromium-based browsers (kunze kwekunge yakanyatso kuvakwa neNSS), iyo yakashandisa NSS kusvika 2015, asi ichibva yachinjirwa kuBoringSSL, hainawo kukanganiswa nedambudziko.
Kusagadzikana uku kunokonzerwa nekukanganisika mukodhi yekusimbisa chitupa muvfy_CreateContext basa kubva pasecvfy.c faira. Iko kukanganisa kunoitika zvese kana mutengi achiverenga chitupa kubva kuseva uye kana sevha ichiita zvitupa zvevatengi. Paunenge uchiongorora siginicha yedhijitari yeDER-encoded, NSS inosarudza siginicha kuita buffer-saizi yakatarwa uye inopfuudza buffer kuPKCS #11 module. Munguva yekuenderera mberi nekugadzirisa, saizi inotariswa zvisizvo kune DSA neRSA-PSS masiginecha, izvo zvinotungamira mukufashukira kwebhafa yakagoverwa yeVFYContextStr chimiro kana saizi yedhijitari siginecha inodarika 16384 bits (2048 bytes yakagoverwa buffer, asi haina kutariswa kuti siginicha inogona kuva yakakura) ).
Iyo kodhi ine kusazvibata inogona kuteverwa kumashure muna 2003, asi haina kutyisidzira kusvika iyo refactoring yakaitwa muna 2012. Muna 2017, kukanganisa kumwe chete kwakaitwa pakushandisa RSA-PSS rutsigiro. Kuita kurwiswa, chizvarwa-chakasimba-chakasimba chizvarwa chemamwe makiyi hachidiwe kuwana iyo inodiwa data, sezvo kufashukira kunoitika pachinhanho kusati kwatarisa iko kurongeka kwedhijitari siginecha. Chikamu che data chinodarika miganhu chinonyorerwa kunzvimbo yekuyeuka ine zvinongedzo kumabasa, izvo zvinorerutsa kusikwa kwekushanda kwemabasa.
Kusagadzikana kwakawanikwa nevaongorori kubva kuGoogle Project Zero vachiri kuyedza nzira nyowani dzekuyedza uye ratidziro yakanaka yekuti kusazvibata kusingaonekwe kwenguva yakareba sei mupurojekiti inozivikanwa zvakanyanya:
- Kodhi yeNSS inochengetedzwa nechikwata chezvekuchengetedza chine ruzivo neruzivo rwechizvino-zvino chekuongorora uye maitiro ekuongorora kukanganisa. Pane zvirongwa zvakati wandei zviripo zvekubhadhara mibairo mikuru yekuona kusagona kuitika muNSS.
- NSS yaive imwe yemapurojekiti ekutanga kujoinha Google's oss-fuzz initiative uye yakaedzwawo muMozilla's libFuzzer-based fuzz test system.
- Iyo raibhurari kodhi yakaongororwa kakawanda mune akasiyana static analyzer, kusanganisira kuongororwa neCoverity sevhisi kubvira 2008.
- Kusvika 2015, NSS yakashandiswa muGoogle Chrome uye yakasimbiswa yakazvimirira nechikwata cheGoogle chakazvimiririra kubva kuMozilla (kubvira 2015, Chrome yakachinjirwa kuBoringSSL, asi rutsigiro rweNSS-based port runoramba ruripo).
Matambudziko makuru nekuda kwekuti dambudziko rakaramba risingaonekwe kwenguva yakareba:
- Iyo NSS modular raibhurari uye fuzzing kuyedzwa kwakaitwa kwete sese, asi pamwero wezvikamu zvega. Semuyenzaniso, kodhi yedecoding DER uye zvitupa zvekugadzirisa yakatariswa zvakasiyana - panguva yekufungidzira, chitupa chinogona kunge chakawanikwa chaizotungamira kuratidzwa kwekusagadzikana kuri mubvunzo, asi cheki yayo haina kusvika kukodhi yekusimbisa uye dambudziko harina. kuzviratidza.
- Munguva yekuyedzwa kwekufungidzira, zvirambidzo zvakasimba zvakaiswa pahukuru hwekubuda (10000 bytes) pasina zvirambidzo zvakafanana muNSS (zvimiro zvakawanda zviri muchimiro chakajairwa zvinogona kuve nesaizi inodarika zviuru gumi nemabhayiti, saka data rakawanda rekupinza raidiwa kuona matambudziko) . Kuti uone kuzere, muganho unofanirwa kunge uri 10000-224 bytes (1 MB), inoenderana nehukuru hwechitupa saizi inotenderwa muTLS.
- Zvisizvo nezve fuzz yekuyedza kodhi yekuvhara. Iyo kodhi yenjodzi yakayedzwa nesimba, asi ichishandisa fuzzers iyo isingakwanise kuburitsa inodiwa yekupinza data. Semuyenzaniso, fuzzer tls_server_target yakashandisa yakafanotsanangurwa seti yezvitupa zvakagadzirirwa, izvo zvakaganhurira cheki yekusimbisa chitupa kune meseji yeTLS chete uye shanduko yenyika.
Source: opennet.ru