CVE-2021-43529 - Thunderbird S/MIME Vulnerability Exploited – What You Need To Know

If you’re using Mozilla Thunderbird to manage your emails, especially for communication that relies on S/MIME encryption, CVE-2021-43529 is a bug you need to pay attention to. This post will break down what CVE-2021-43529 is, how attackers could exploit it, and how to protect yourself. We'll dig into code snippets to show you what actually went wrong, include links to original resources, and explain the underlying risk in a simple way.

What is CVE-2021-43529?

To start, CVE-2021-43529 is not a bug by itself, but it's related to a serious heap overflow issue (CVE-2021-43527) in Mozilla NSS, the library Thunderbird uses to handle cryptography. Older Thunderbird versions (before 91.3.) called this vulnerable code path when processing specially-crafted S/MIME messages.

Severity: High

- Exploit vector: Sending an S/MIME email with a malicious DER-encoded DSA or RSA-PSS signature certificate

Summary: If you used S/MIME (Secure/Multipurpose Internet Mail Extensions) to sign or encrypt emails, an attacker could send you an email with a malicious digital certificate—just viewing or processing the message could allow them to run code on your PC.

The Root Cause: NSS Heap Overflow

At the heart is CVE-2021-43527, a heap overflow in the decode_ber_signature function in NSS, the cryptographic library used by Thunderbird.

Here’s a simplified snippet of vulnerable code from NSS

// Vulnerable NSS code (simplified)
SECStatus decode_ber_signature(SECKEYPublicKey *pubKey, SECItem *input, SECItem *output) {
    ...
    output->len = ber_decoded_length;
    memcpy(output->data, ber_decoded_data, ber_decoded_length); // heap overflow occurs here if output->data is too small
    ...
}

Normally, the function would be careful about the size of the output buffer. But in this buggy version, it could trust values from an attacker-controlled certificate (DER-encoded DSA or RSA-PSS signature). This lets an attacker overwrite heap memory—often a first step towards arbitrary code execution.

How Thunderbird Triggers the Vulnerability

In versions prior to 91.3., Thunderbird wasn't careful: it would process any S/MIME email and invoke this vulnerable function if the email contained a DER-encoded DSA or RSA-PSS signature.

Patch: What Changed in 91.3.?

Mozilla addressed the issue by patching NSS and, importantly, by blocking Thunderbird from calling the vulnerable code for S/MIME messages containing DER-encoded DSA or RSA-PSS signatures. This meant even if the underlying NSS bug was present, Thunderbird wouldn’t trigger it for S/MIME mail.

You can see the Thunderbird release notes here (91.3.):

> Thunderbird will no longer call the vulnerable code when processing S/MIME messages that contain certificates with DER-encoded DSA or RSA-PSS signatures.

Exploit Details: How an Attacker Could Use This

1. Attacker crafts a malicious S/MIME email: They use a DER-encoded certificate that triggers the overflow. The signature could be DSA or RSA-PSS, both handled by the buggy function.

2. Victim opens or previews the email in Thunderbird (before 91.3.): Thunderbird processes the S/MIME structure, passes the attacker’s data to NSS, and the heap overflow occurs.

3. Attacker's code runs: In the best case (for the attacker), this would allow remote code execution with the privileges of the user running Thunderbird.

No user interaction needed beyond processing the message—just previewing or syncing it could trigger the bug.

Proof-of-Concept Snippet

Here’s a simplified Python snippet showing the structure of a malicious certificate. This isn’t a real exploit (for safety), but shows how certificate fields could be constructed:

from asn1crypto import pem, algos, core, keys

# Fake DSA Signature (abnormally large length)
class ExploitSignature(core.Sequence):
    _fields = [
        ('r', core.Integer),
        ('s', core.Integer)
    ]

# Build payload
payload = ExploitSignature({
    'r': x41414141 * 100,   # Causes huge length, triggers overflow
    's': x42424242 * 100
}).dump()

print(pem.armor('SIGNATURE', payload))

Warning: This is a demonstration of how the structure could be manipulated. Don’t try to target anyone’s system.

Update Thunderbird to 91.3. or newer.

- Download latest Thunderbird here.

`

3. Be cautious with S/MIME emails, especially from unknown sources, even after updating.

References & Further Reading

- Mozilla Foundation Security Advisory 2021-51
- CVE-2021-43529 entry in NIST NVD
- CVE-2021-43527 (underlying NSS bug)
- Thunderbird 91.3. Release Notes
- Analysis from Red Hat Security

Conclusion

CVE-2021-43529 was a serious risk for Thunderbird users dealing with S/MIME emails—proof that cryptography parsing bugs can cause big problems. If you haven’t already, upgrade to Thunderbird 91.3. or newer and keep your software updated. Vulnerabilities like this show how important quick patching and defense-in-depth are for staying secure.

Timeline

Published on: 02/16/2023 22:15:00 UTC
Last modified on: 02/28/2023 13:55:00 UTC