BERserk rips through Web security

Intel Security Advanced Threat Research team has uncovered a critical forgery vulnerability in Mozilla’s Network Security Services (NSS) crypto library that could allow attackers to forge RSA certificates used to secure data transmissions.

The vulnerability was called BERserk, because the attack exploits a vulnerability in the parsing of ASN.1 encoded messages during signature verification. ASN.1 messages are made up of various parts that are encoded using BER (Basic Encoding Rules) and DER (Distinguished Encoding Rules).

The Mozilla NSS library is used in the Firefox browser but is also found in Thunderbird, Seamonkey and other Mozilla products.

“Dubbed BERserk, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to Web sites utilizing SSL/TLS,” said Mike Fey, chief technology officer of corporate products for security software firm McAfee Inc. “Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure Web sites.”

Fey said BERserk is a variation of the 2006 Bleichenbacher PKCS#1 RSA Signature Verification vulnerability.

After discovering BERserk the Intel team contacted Computer Emergency Response Team (CERT) coordination centre, to ensure that the vulnerability’s existence is broadcasted and that affected organizations are given guidance to mitigate risks.

McAfee Vulnerability Manager will release an update to check for vulnerable systems and report their exposure but meanwhile, individual Firefox users can take some immediate action by updating their browsers with the latest patches from Mozilla said Fey.

Google has also released updates for Google Chrome and Chrome OS which also uses the NSS library.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor Arellano
Nestor Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.