RSA Signature Forgery in NSS

Issue

A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your safety on the internet.

Impact to Users

Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site.

Status

The following updates have been released for Mozilla client products:

Firefox 32.0.3
Firefox for Android 32.0.3
Firefox for Android 31.1.1
Firefox ESR 31.1.1
Firefox ESR 24.8.1

Thunderbird 31.1.2
Thunderbird 24.8.1

SeaMonkey 2.29.1

Updates are also available for Beta and other development versions of these products.

Most users will receive these as automatic updates. In addition, they are available from our website for those who have disabled automatic updates (or from the Play store in the case of Firefox for Android).

Other products which incorporate the NSS library should upgrade their copy of NSS to one of the following:

NSS 3.16.2.1
NSS 3.16.5
NSS 3.17.1

Credit

We would like to thank the following researchers for reporting this issue:

Antoine Delignat-Lavaud of Inria Paris in team Prosecco
The Advanced Threat Research team at Intel Security

Additional information can be found in our advisory.

10 comments on “RSA Signature Forgery in NSS”

  1. Martin wrote on

    Hi, is there a way to receive by email a notification every time there’s a new security update for Firefox v24 or v31 ?
    Thanks !

    1. Daniel Veditz wrote on

      They are announced on the enterprise mailing list, but that may be higher volume than you want to deal with: https://mail.mozilla.org/listinfo/enterprise

      There should not be any further Firefox 24 releases, it falls out of support in a few weeks when Firefox 33 is released. Of course we weren’t planning 24.8.1 either.

  2. Anonymous wrote on

    “Users on a compromised network”? You mean, like, the internet?

    1. pseudononymous wrote on

      you got that right … good catch

  3. Christof Meerwald wrote on

    Is Firefox OS affected and if so when can we expect updates for Firefox OS (is Mozilla working with device vendors on updates)?

  4. Bobtail wrote on

    Does this flaw allow the attacker to forge a certificate that has the same fingerprint as an existing valid one?

    1. Bobtail wrote on

      Just to make the question more clear.
      I have stored the fingerprint of a valid certificate.
      Now I visit the server again with a Firefox version affected by the flaw.
      I compare the fingerprint in the certificate viewer with the stored one and they are the same.
      Could the certificate now presented still be forged in reference to the RSA Signature Forgery in NSS?

      Secondly, how would an affected Firefox version behave if it has trusted the certificate in the past and it now sees a forged certificate which tries to masquerade as the valid one. Any warnings or prompts?

      Are there any Mozilla pages where the effects of this flaw are explained so one can get some useful conclusions without the need to read the source code?

      1. Daniel Veditz wrote on

        The “fingerprint” is a hash of the entire certificate. Since the signature of the forgery will differ the fingerprint hash will differ as well even if everything else in the certificate is a perfect copy (and it’s not clear a MITM would bother doing that much since practically no one checks).

        The fingerprint is not a property contained in the certificate itself it’s generated by a particular implementation. An NSS certificate fingerprint might differ from an openSSL generated fingerprint if they use different hash algorithms, but the fingerprints generated by the same library should be consistent.

  5. Don wrote on

    I have placed printing restrictions to comply with copyright restrictions converting files from MS Powerpoint to Adobe pdf. In the past, my security protocols have remained valid using Firefox. The new document viewer bypasses these restrictions allowing for printing of copyright material that i do not have printing rights for and this places me in a conundrum. At present, I have to disable these files which has a negative impact on students. This has never been a problem before and I am sure it is the same with all Learning management systems. Please allow users to maintain certain security measures to protect copyrights and other academic issues.

    1. Daniel Veditz wrote on

      I’m sorry you’re having this trouble but it likely won’t reach an audience who can do anything about it on this unrelated blog post.

      Adobe’s PDF printing restrictions don’t appear very robust. They are not preserved by Chrome if you Save As… to a new pdf document, and other PDF readers like the Firefox one don’t support the use-restrictions annotations not because they have an agenda not to, but because it requires writing additional code to parse part of the document that simply says “pretty please don’t do these things”. There are also lots of dodgy downloads on the internet that promise to remove the security restrictions. Short of using actual DRM I don’t think you can rely on those settings.

      Students these days print things?