In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Network_security_services | Mozilla | * | 3.36.7 (excluding) |
| Network_security_services | Mozilla | 3.41 (including) | 3.41.1 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | nspr-0:4.21.0-2.el8_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | nss-0:3.44.0-7.el8_0 | * |
| Nss | Ubuntu | bionic | * |
| Nss | Ubuntu | cosmic | * |
| Nss | Ubuntu | devel | * |
| Nss | Ubuntu | esm-infra-legacy/trusty | * |
| Nss | Ubuntu | esm-infra/bionic | * |
| Nss | Ubuntu | esm-infra/xenial | * |
| Nss | Ubuntu | trusty | * |
| Nss | Ubuntu | trusty/esm | * |
| Nss | Ubuntu | upstream | * |
| Nss | Ubuntu | xenial | * |
Potential Mitigations
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.7_release_notes
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes
- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04
- https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.7_release_notes
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes
- https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04