Lumension® Endpoint Intelligence Center

Intelligence Center » News Archive » Critical signature forgery flaw found in Mozilla NSS crypto library

Critical signature forgery flaw found in Mozilla NSS crypto library

2014/09/25

Securityweek - (International) Mozilla released an update for its products and Google updated Chrome and Chrome OS to address the "BERserk" vulnerability exposed by two independent researchers from Intel Security Advanced Threat Research Team and INRIA Paris-Rocquencourt who found that the Mozilla Network Security Services (NSS) cryptographic library can be exploited for signature forgery acts. The hackers can leverage the flaw in the parsing of ASN.1 encoded messages which use Basic Encoding Rules (BER) by exploiting the fact that the length of a field in BER can be made to use many bytes of data.

Source: http://www.securityweek.com/critical-signature-forgery-flaw-found-mozilla-nss-crypto-library

Note: This news synopsis is taken from the DHS Daily Open Source Infrastructure Report, a daily [Monday through Friday, except US Federal holidays] summary of open-source published information concerning significant critical infrastructure issues; a 10-day archive of the DOSIR can be found at: http://www.dhs.gov/dhs-daily-open-source-infrastructure-report.


Last Updated: 27 May 2016 10:21:50