RHSB-2021-008 NSS Memory corruption when decoding DSA signatures (CVE-2021-43527)
Updated
Executive summary
Network Security Services (NSS) is a set of libraries designed to support cross-platform communications of security-enabled client and server applications. NSS provides support for various cryptographic algorithms and protocols.
A memory corruption flaw, which may allow unauthorized remote code execution, was found in the method NSS verified certificates. This flaw affects both server applications compiled with NSS (such as Red Hat Identity Management, Red Hat Directory Server) and client applications using the NSS crypto library (such as the RHEL 6 & 7 curl command line tool).
The primary risk for customer environments is where trusted clients connect to an untrusted server via SSL/TLS, or untrusted clients authenticate via client certificate to a trusted server, or a man-in-the-middle attacker is between a trusted client/server connection. In these situations, the impact is remote code execution against the trusted client or server. The issue is assigned CVE-2021-43527 and has been rated with a severity impact of Critical.
The following Red Hat product versions are directly affected:
Red Hat Enterprise Linux 6, 7, and 8
Red Hat Virtualization 4
Further, any Red Hat product which is supported on Red Hat Enterprise Linux is also potentially impacted. This includes:
Product containers which are based on the RHEL or UBI container images. These images are updated regularly, and container health indicating whether a fix to this flaw is available can be seen in the Container Health Index, part of the Red Hat Container Catalog. In addition, any customer containers should be rebuilt when the base images are updated.
Products that pull packages from the RHEL channel (this includes layered products such as Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Virtualization, and others). Please ensure that the underlying RHEL nss package is current in these product environments.
Technical summary
A remote code execution flaw was found in the way NSS verifies certificates. This flaw allows an attacker posing as an SSL/TLS server to trigger this issue in a client application compiled with NSS when it tries to initiate an SSL/TLS connection. Similarly, a server application compiled with NSS, which processes client certificates, can receive a malicious certificate via a client, triggering the flaw.
The issue is not limited to TLS. Any applications that use NSS certificate verification are vulnerable; S/MIME is impacted as well.
Firefox is not vulnerable to this flaw as it uses the mozilla::pkix for certificate verification. Thunderbird is affected when parsing email with the S/MIME signature. Thunderbird on Red Hat Enterprise Linux 8.4 and later does not need to be updated since it uses the system NSS library, but earlier Red Hat Enterprise Linux 8 extended life streams will need to update Thunderbird as well as NSS.
Mitigation
Currently there is no mitigation available for this flaw. Customers should update to fixed packages, once they are available.
Updates for affected products
Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as errata are available.
Product | Component(s) | Advisory/Update [1] |
Red Hat Enterprise Linux 8 | nss | |
Red Hat Enterprise Linux 8.4.0 Extended Update Support [2] | nss | |
Red Hat Enterprise Linux 8.2.0 Extended Update Support [2] | nss | |
Red Hat Enterprise Linux 8.2.0 Extended Update Support [2] | thunderbird | |
Red Hat Enterprise Linux 8.1.0 Extended Update Support [2] | nss | |
Red Hat Enterprise Linux 8.1.0 Extended Update Support [2] | thunderbird | |
Red Hat Enterprise Linux 7 | nss | |
Red Hat Enterprise Linux 7.7 Extended Update Support [2] | nss | |
Red Hat Enterprise Linux 7.6 Extended Update Support [2] | nss | |
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Advanced Update Support [3],[4] | nss | |
Red Hat Enterprise Linux 7.3 Advanced Update Support [4] | nss | |
| Red Hat Enterprise Linux 6 Extended Life-cycle Support [5] | nss | RHSA-2021:4907 |
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | redhat-virtualization-host | |
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-virtualization-host |
[1] Advisory/Update link will be added once updates are live.
[2] What is the Red Hat Enterprise Linux Extended Update Support (EUS) Subscription?
[3] What is Advanced mission critical Update Support (AUS)?
[4] What is the Red Hat Enterprise Linux SAP Solutions subscription?
[5] An active Extended Life-cycle Support (ELS) subscription is required for access to this patch. Please contact Red Hat Sales or your specific sales representative for more information if your account does not have an active ELS subscription.
Diagnose
A vulnerability detection script has been developed to determine if your system is currently vulnerable to this flaw. To verify the authenticity of the script, you can download the detached GPG signature as well. Instructions on how to use GPG signatures for verification are available on the Customer Portal.
Acknowledgements
Red Hat acknowledges the Mozilla project for reporting this issue. Upstream acknowledges Tavis Ormandy as the original reporter of this issue.
Comments