Login Sign Up

CVE-2021-43527

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-43527 is a critical heap overflow vulnerability in NSS (Network Security Services) that allows remote code execution when processing malicious DER-encoded DSA or RSA-PSS signatures. It affects applications using NSS for signature verification in formats like CMS, S/MIME, PKCS #7, or PKCS #12, including email clients and PDF viewers, but not Mozilla Firefox.

💻 Affected Systems

Products:
  • Thunderbird
  • LibreOffice
  • Evolution
  • Evince
  • Other applications using NSS for signature verification
Versions: NSS versions < 3.73 and NSS < 3.68.1 ESR
Operating Systems: Linux, Windows, macOS (if using affected NSS versions)
Default Config Vulnerable: ⚠️ Yes
Notes: Only impacts applications configured to use NSS for signature handling; Firefox is not affected due to different configuration.

📦 What is this software?

Cloud Backup by Netapp

View all CVEs affecting Cloud Backup →

Communications Cloud Native Core Binding Support Function by Oracle

View all CVEs affecting Communications Cloud Native Core Binding Support Function →

Communications Cloud Native Core Network Repository Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Repository Function →

Communications Cloud Native Core Network Repository Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Repository Function →

Communications Cloud Native Core Network Slice Selection Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →

Communications Policy Management by Oracle

View all CVEs affecting Communications Policy Management →

E Series Santricity Os Controller by Netapp

View all CVEs affecting E Series Santricity Os Controller →

Nss by Mozilla

View all CVEs affecting Nss →

Nss Esr by Mozilla

View all CVEs affecting Nss Esr →

Starwind San \& Nas by Starwindsoftware

View all CVEs affecting Starwind San \& Nas →

Starwind Virtual San by Starwindsoftware

View all CVEs affecting Starwind Virtual San →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers can execute arbitrary code with the privileges of the vulnerable application, potentially leading to full system compromise.

🟠

Likely Case

Attackers could crash applications or execute code by sending specially crafted signed documents or certificates.

🟢

If Mitigated

With proper patching, the vulnerability is eliminated; network segmentation and application whitelisting reduce attack surface.

🌐 Internet-Facing: HIGH, as malicious documents or certificates can be delivered via email or web downloads without authentication.
🏢 Internal Only: MEDIUM, as exploitation requires user interaction (e.g., opening a malicious file), but internal threats or phishing could still trigger it.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious signatures, but no public proof-of-concept has been disclosed; CVSS 9.8 indicates high severity and ease of attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NSS 3.73 or NSS 3.68.1 ESR

Vendor Advisory: https://bugzilla.mozilla.org/show_bug.cgi?id=1737470

Restart Required: Yes

Instructions:

1. Update NSS library to version 3.73 or 3.68.1 ESR. 2. For Linux, use package manager (e.g., 'sudo apt update && sudo apt upgrade libnss3'). 3. For Windows/macOS, update affected applications (e.g., Thunderbird, LibreOffice). 4. Restart applications and systems to apply changes.

🔧 Temporary Workarounds

Disable signature verification in applications

all

Temporarily disable processing of signed documents or certificates in vulnerable applications to block exploitation vectors.

Block malicious file types at network perimeter

all

Use email gateways or firewalls to filter or block suspicious signed documents (e.g., .p7s, .p12 files) from untrusted sources.

🧯 If You Can't Patch

  • Isolate affected systems from untrusted networks and limit user access to reduce attack surface.
  • Implement application whitelisting to prevent execution of unauthorized processes from exploited applications.

🔍 How to Verify

Check if Vulnerable:

Check NSS version with 'strings /usr/lib/libnss3.so | grep Version' on Linux or verify application versions (e.g., Thunderbird > 91.4.0).

Check Version:

On Linux: 'dpkg -l | grep libnss3' or 'rpm -qa | grep nss'; on Windows, check application help/about menus.

Verify Fix Applied:

Confirm NSS version is >= 3.73 or >= 3.68.1 ESR using the same command, and test signature handling in applications.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or errors related to NSS, certificate parsing, or signature validation in system/application logs.

Network Indicators:

  • Unusual inbound traffic with signed documents or certificates from suspicious sources.

SIEM Query:

Example: 'event.source="application_log" AND (message CONTAINS "NSS" OR message CONTAINS "heap overflow" OR message CONTAINS "signature error")'

📊 Metadata

CVE ID: CVE-2021-43527
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: December 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43527, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)