Mozilla Network Security Services (NSS) fails to properly verify RSA signatures

2014-09-24T00:00:00
ID VU:772676
Type cert
Reporter CERT
Modified 2014-09-24T21:57:00

Description

Overview

The Mozilla Network Security Services (NSS) library fails to properly verify RSA signatures due to incorrect ASN.1 parsing of DigestInfo. This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate.

Description

CWE-295: Improper Certificate Validation

RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data to ensure message hashes are adequately sized. The Public-Key Cryptography Standard #1 version 1.5 (PKCS#1 v1.5), which is defined in RFC 2313, specifies "the mathematical properties and format of RSA public and private keys (ASN.1-encoded in clear-text), and the basic algorithms and encoding/padding schemes for performing RSA encryption, decryption, and producing and verifying signatures" (Wikipedia). The Mozilla Network Security Services (NSS) library incorrectly parses PKCS#1 v1.5 padded signatures due to the use of a vulnerable implementation of ASN.1 encoding of DigestInfo. Vulnerable implementations parse the DigestInfo field using the BER encoding, which allows multiple ways of encoding the same ASN.1 object. The parser implementation allows for bytes to skip validation, allowing an attacker to forge a signature when a RSA key with a low public exponent (e.g., three) is used.

This vulnerability is a variant of the Bleichenbacher vulnerability, where unvalidated bytes are allowed in the least significant bytes of the signature.

Mozilla NSS is used by other software products including a number of Linux distributions and packages, Google Chrome, and Google Chrome OS. It is also possible that other cryptographic libraries may have similar vulnerabilities.


Impact

This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate.


Solution

Apply an Update

Mozilla has released patch for this vulnerability (MSFA 2014-73). Mozilla NSS is used by other software products including a number of Linux distributions and packages, Google Chrome, and Google Chrome OS.


Vendor Information

772676

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Google Affected

Updated: September 24, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html>
  • <http://googlechromereleases.blogspot.com/2014/09/stable-channel-update-for-chrome-os_24.html>

Mozilla Affected

Notified: September 22, 2014 Updated: September 24, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://www.mozilla.org/security/announce/2014/mfsa2014-73.html>

Apache HTTP Server Project Unknown

Notified: September 24, 2014 Updated: September 24, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Systems, Inc. Unknown

Notified: September 23, 2014 Updated: September 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: September 23, 2014 Updated: September 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: September 23, 2014 Updated: September 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Yahoo, Inc. Unknown

Notified: September 23, 2014 Updated: September 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N
Temporal | 6.9 | E:POC/RL:OF/RC:C
Environmental | 8.7 | CDP:H/TD:H/CR:H/IR:H/AR:ND

References

  • <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS>
  • <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases>
  • <https://www.mozilla.org/security/announce/2014/mfsa2014-73.html>
  • <https://www.ietf.org/rfc/rfc2313.txt>
  • <http://en.wikipedia.org/wiki/PKCS#1>
  • <http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html>
  • <https://bugzilla.mozilla.org/show_bug.cgi?id=1069405>
  • <https://bugzilla.mozilla.org/show_bug.cgi?id=1064636>

Acknowledgements

Thanks to Advanced Threat Research - Intel Security for reporting this vulnerability. Antoine Delignat-Lavaud, a researcher for team Prosecco of Inria Paris, also reported this to Mozilla.

This document was written by Joel Land and Chris King.

Other Information

CVE IDs: | CVE-2014-1568
---|---
Date Public: | 2014-09-24
Date First Published: | 2014-09-24
Date Last Updated: | 2014-09-24 21:57 UTC
Document Revision: | 54