ProHoster > Blog > internet nhau > Kusagadzikana kwekodhi muMozilla NSS kana uchigadzira zvitupa

Kusagadzikana kwekodhi muMozilla NSS kana uchigadzira zvitupa

Dambudziko guru (CVE-2021-43527) rakaonekwa mumaraibhurari eNSS (Network Security Services) cryptographic akagadzirwa neMozilla. Dambudziko iri rinogona kukonzera kuurayiwa kwekodhi yemurwisi kana uchigadzirisa masaini edhijitari eDSA kana RSA-PSS akatsanangurwa uchishandisa nzira yekunyora DER (Distinguished Encoding Rules). Dambudziko iri, rine zita rekuti BigSig, rakagadziriswa muNSS 3.73 neNSS ESR 3.68.1. Kugadziriswa kwemapakeji ekuparadzira kunowanikwa kune Debian, RHEL, Ubuntu, SUSE, Arch Linux, Gentoo, FreeBSD. Zvigadziriso zveFedora hazvisati zvawanikwa.

Nyaya iyi inobata mapurogiramu anoshandisa NSS kugadzirisa CMS, S/MIME, PKCS #7, uye PKCS #12 siginicha yedhijitari, kana pakusimbisa zvitupa muTLS, X.509, OCSP, uye CRL mashandisirwo. Kusagadzikana kunogona kukanganisa akasiyana TLS, DTLS, uye S/MIME-inogonesa mutengi uye server maapplication, email vatengi, uye maPDF vanoona vanoshandisa iyo NSS CERT_VerifyCertificate() kufona kuti vaone siginicha yedhijitari.

LibreOffice, Evolution, uye Evince inotaurwa semienzaniso yezvikumbiro zvinonetsa. Zvichida, dambudziko rinogona kukanganisa mapurojekiti akadai sePidgin, Apache OpenOffice, Suricata, Curl, Chrony, Red Hat Directory Server, Red Hat Certificate System, mod_nss yeApache http server, Oracle Communications Messaging Server, Oracle Directory Server Enterprise Edition. Nekudaro, kusazvibata hakuzviratidze muFirefox, Thunderbird, uye Tor Browser, iyo inoshandisa raibhurari yakaparadzana mozilla::pkix yekuongorora, inovawo chikamu cheNSS. Dambudziko racho harina kukanganiswa neChromium-based browsers (kunze kwekunge yakanyatso kuunganidzwa neNSS), iyo yakashandisa NSS pamberi pa2015, asi yakabva yaendeswa kuBoringSSL.

Kukuvadzwa uku kunokonzerwa nekukanganisa kuri mukodhi yekusimbisa chitupa mu vfy_CreateContext function kubva kufaira re secvfy.c. Kukanganisa uku kunozviratidza kana mutengi achiverenga chitupa kubva kuseva uye panguva yekugadzirisa. server Zvitupa zvemutengi. Pakusimbisa siginecha yedhijitari ine DER, NSS inoshandura siginecha kuita buffer yehukuru hwakatarwa uye inopfuudza buffer iyi kuPKCS #11 module. Munguva yekugadzirisa zvakare, saizi yemasaini eDSA neRSA-PSS inotariswa zvisirizvo, zvichikonzera kuti buffer iwedzere kugoverwa kwechimiro cheVFYContextStr kana saizi yesaini yedhijitari ikadarika 16384 bits (2048 bytes dzakapihwa buffer, asi mukana wesiginecha wehukuru hwakakura hausi kusimbiswa).

Iyo kodhi yenjodzi inogona kurondwa kumashure ku2003, asi haina kutyisidzira kusvikira refactoring muna 2012. Iko kukanganisa kwakafanana kwakaitwa muna 2017 pakushandisa RSA-PSS rutsigiro. Kurwiswa kwacho hakudi resource-yakanyanya kugadzirwa kwemakiyi chaiwo kuti uwane iyo data inodiwa, sezvo kufashukira kunoitika pachikuva kusati kwaitwa siginecha yedhijitari. Iyo yekunze-ye-yekumisikidzwa chikamu che data inonyorerwa kunzvimbo yekurangarira ine basa anonongedzera, izvo zvinoita kuti zvive nyore kugadzira kushanda kwekushandisa.

Kusagadzikana kwakawanikwa nevatsvagiri veGoogle Project Zero vachiri kuyedza nzira nyowani dzekuyedza uye chiratidzo chakanaka chekuti kusazvibata kusingaonekwe kwenguva yakareba sei muchirongwa chakaedzwa zvakanyanya, chinozivikanwa:

  • Kodhi yeNSS inochengetwa nechikwata chekuchengetedza chine ruzivo chinoshandisa nzira dzemazuva ano dzekuyedza nekuongorora tsikidzi. Pane zvirongwa zvakati kuti zvinobhadhara mibairo mikuru yekuwana kusagona kugadzikana muNSS.
  • NSS yaive imwe yemapurojekiti ekutanga kujoinha Google's oss-fuzz initiative uye yakaedzwawo muMozilla's libFuzzer-based fuzzing test system.
  • Iyo raibhurari kodhi yakadzokororwa yakaongororwa mune akasiyana static analyzer, kusanganisira kuongororwa neCoverity service kubvira 2008.
  • Kusvika 2015, NSS yakashandiswa muGoogle Chrome uye yakayedzwa yakazvimirira nechikwata cheGoogle (kubvira 2015, Chrome yakachinjira kuBoringSSL, asi rutsigiro rweNSS-based port yasara).

Nyaya huru dzakakonzera kuti dambudziko rirege kuonekwa kwenguva yakareba ndeidzi:

  • NSS modular raibhurari uye fuzzing kuyedzwa hazvina kuitwa zvakazara, asi pamwero wezvikamu zvega. Semuyenzaniso, iyo DER decoding kodhi uye chitupa chekugadzirisa kodhi yakatariswa zvakasiyana - panguva yekufungidzira, chitupa chinogona kunge chakawanikwa chakakonzera kuratidzwa kwekusagadzikana kuri mubvunzo, asi kuoneswa kwaro hakuna kusvika kukodhi yekusimbisa uye dambudziko harina kuzviratidza.
  • Kuyedzwa kweFuzzing kwaive nemuganho wakaoma pahukuru hwekubuda (10000 bytes) pakange pasina muganho wakadaro muNSS (zvimiro zvakawanda zvaigona kunge zvakakura kupfuura zviuru gumi nemabhayiti mune yakajairika mode, saka data rakawanda rekupinza raidiwa kuona matambudziko). Kuti uwane bvunzo yakazara, muganho waifanira kunge uri 10000-224 bytes (1 MB), inoenderana nehukuru hwechitupa saizi inobvumidzwa muTLS.
  • Kusanzwisisa nezve kuvharwa kwekodhi nekuyedzwa kwefuzz. Iyo kodhi yenjodzi yakayedzwa nesimba, asi ichishandisa fuzzers iyo isingakwanise kuburitsa inodiwa yekupinza data. Semuenzaniso, tls_server_target fuzzer yakashandisa yakafanotsanangurwa seti yezvitupa zvakagadzirirwa, izvo zvakaganhurira kodhi yekusimbisa yechitupa kune meseji yeTLS chete uye shanduko yenyika.

Source: opennet.ru

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva šŸ”„ Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster