BigSig, kusagadzikana muMozilla NSS iyo inogona kubvumira kodhi kuuraya

The news about kuratidza kusagadzikana kwakanyanya (yatonyorwa pasi peCVE-2021-43527) en iyo seti ye cryptographic library SSN (Network security services) kubva kuMozilla izvo zvinogona kutungamira mukuitwa kwekodhi yakaipa paunenge uchigadzira DSA kana RSA-PSS masiginecha edhijitari anotsanangurwa uchishandisa DER (Distinguished Encoding Rules).

Dambudziko inozviratidza mumashandisirwo anoshandisa NSS kubata masiginecha edhijitari CMS, S / MIME, PKCS # 7 uye PKCS # 12, kana pakusimbisa zvitupa mune deployments TLS, X.509, OCSP neCRL. Kusagadzikana kunogona kumuka muakasiyana-siyana mutengi uye server maapplication ane TLS, DTLS, uye S / MIME rutsigiro, email vatengi, uye maPDF vanoona vanoshandisa iyo NSS CERT_VerifyCertificate () kufona kuti ione masiginecha edhijitari.

LibreOffice, Evolution uye Evince inotaurwa semienzaniso yemashandisirwo asina njodzi. Zvichida, dambudziko rinogona kukanganisa mapurojekiti akadai sePidgin, Apache OpenOffice, Suricata, Curl, pakati pevamwe.

Panguva imwecheteyo, kusazvibata hakuoneki muFirefox, Thunderbird uye Tor Browser, iyo inoshandisa yakaparadzana mozilla :: pkix raibhurari yekusimbisa, iri zvakare chikamu cheNSS. The Chrome-based browsers (kunze kwekunge dzakanyatso kuunganidzwa neNSS), iyo yakashandisa NSS kusvika 2015, asi ndokuzoendeswa kuBoringSSL, havabatwi nedambudziko.

Kusagadzikana uku kunokonzerwa nebug mune kodhi yesitifiketi kodhi muvfy_CreateContext. function of the secvfy.c file. Iko kukanganisa kunozviratidza zvese kana mutengi achiverenga chitupa kubva kuseva seapo sevha inobata zvitupa zvemutengi.

Paunenge uchiongorora siginecha yedhijitari yeDER-encoded, NSS inosarudza siginecha kuita diki-saizi buffer uye inopfuudza iyi buffer kuPKCS # 11 module. Munguva yemashure-kugadzirisa, yeDSA neRSA-PSS siginecha, saizi haina kusimbiswa zvisirizvo, zvichikonzera. iyo inotungamira mukufashukira kweiyo yakagoverwa buffer yeVFYContextStr chimiro, kana saizi yedhijitari siginecha ichipfuura 16384 bits (2048 bytes yakagoverwa buffer, asi haina kusimbiswa kuti siginicha inogona kuve yakakura).

Iyo kodhi ine kusazvibata yakatanga kusvika 2003, asi yakanga isiri kutyisidzira kusvikira refactoring muna 2012. Muna 2017, kukanganisa kwakafanana kwakaitwa pakushandisa rubatsiro rweRSA-PSS. Kuti uite kurwiswa, chizvarwa-chakasimba-chakawanda chizvarwa chemamwe makiyi hachidiwe kuwana iyo inodiwa data, sezvo mafashama akaitika padanho risati rasimbiswa kwechokwadi cheiyo siginecha yedhijitari. Iyo yekubuda-ye-yekumisikidzwa chikamu cheiyo data inonyorerwa kunzvimbo yekuyeuka iyo ine mapoinzi ebasa, zvichiita kuti zvive nyore kugadzira kushanda kwekushandisa.

Kusagadzikana kwakaonekwa neGoogle Project Zero vaongorori panguva yekuedza nemaitiro matsva ekuedza uye chiratidzo chakanaka chekuti kusakanganiswa kunogona sei kuenda kusingaonekwe kwenguva yakareba muchirongwa chakaongororwa chinozivikanwa.

Kana ari matambudziko makuru ayo dambudziko rakaenda risingaonekwe kwenguva refu:

  • Iyo NSS drive raibhurari uye fuzzing bvunzo haina kuitwa yakazara, asi padanho rechikamu chega.
  • Semuyenzaniso, iyo kodhi yekunyora DER uye kuita zvitupa yakasimbiswa zvakasiyana; Mukufamba kweiyo fuzzing, chitupa chaigona kunge chakawanikwa, zvichitungamira kuratidzwa kwekusagadzikana kuri mubvunzo, asi kusimbiswa kwaro hakuna kusvika kukodhi yekusimbisa uye dambudziko harina kuburitswa.
  • Munguva yekuyedzwa kwekunetsekana, miganho yakasimba yakaiswa pahukuru hwekubuda (10,000 bytes) pasina zvipingamupinyi zvakadaro muNSS (zvimiro zvakawanda mune zvakajairika mode zvinogona kunge zvakakura kupfuura zviuru gumi nemabhaiti, saka, kuona matambudziko, yakawanda yekupinza data inodiwa. ) Kuti zvionekwe zvizere, muganho unofanirwa kunge uri 10,000 2 -24 bytes (1 MB), iyo inoenderana nehukuru hwehukuru hwechitupa chinotenderwa muTLS.
  • Kusanzwisiswa nezve kuvharwa kwekodhi nefuzzing bvunzo. Iyo kodhi yenjodzi yakayedzwa nesimba, asi ichishandisa fuzers, iyo yakatadza kuburitsa iyo inodiwa yekupinza data. Semuyenzaniso, fuzzer tls_server_target yakashandisa yakafanotsanangurwa seti yekunze-kwe-bhokisi zvitupa, izvo zvakaganhurira kusimbiswa kwekodhi yekusimbisa chitupa kune meseji yeTLS chete uye shanduko yenyika.

Pakupedzisira, Zvakakodzera kutaura kuti dambudziko rine codename BigSig rakagadziriswa muNSS 3.73 uye NSS ESR 3.68.1 uye zvigadziriso zvemhinduro mupakeji fomu zvakatoburitswa mukugovaniswa kwakasiyana: Debian, RHEL, Ubuntu, SUSE, Arch Linux, Gentoo, FreeBSD, nezvimwe.

Kana iwe uchida kuziva zvakawanda nezvazvo, unogona kubvunza chinotevera chinongedzo.


Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako