CVE-2023-5388 - How a Timing Side-Channel in NSS Put Firefox and Thunderbird RSA Decryption at Risk

In late 2023, security researchers uncovered a critical vulnerability in Network Security Services (NSS). This issue is tracked as CVE-2023-5388 and is related to a timing side-channel attack during RSA decryption. Because NSS powers much of the security stack in popular Mozilla products, including Firefox (before version 124), Firefox ESR before 115.9, and Thunderbird prior to 115.9, this vulnerability had the potential to put millions of users’ data at risk.

This article breaks down what CVE-2023-5388 is, how an attacker could exploit it, and what you can do to protect yourself.

What Is NSS?

Network Security Services (NSS) is a set of libraries used by Mozilla Firefox, Thunderbird, and many other applications to implement cryptographic security protocols like SSL and TLS. It handles low-level crypto operations, including public-key encryption like RSA.

For more details, visit the official NSS page.

The CVE-2023-5388 Flaw Explained

RSA decryption should be performed in a way that’s “constant time.” That means the time it takes to decrypt should *not* give away hints about the data being decrypted or the secret keys being used. But researchers found that, under certain circumstances, NSS’s RSA decryption code would take different amounts of time depending on the input.

An attacker clever enough to measure those differences (timing information) could eventually deduce private key material—effectively “cracking” encrypted messages or signing operations.

Summary:

In simple terms

- A malicious actor sends a lot of specially crafted encrypted messages to a server (or client) running the vulnerable code.
- By carefully timing how long it takes for each decryption response, the attacker gathers data about how the internal algorithm processes different inputs.
- Over thousands or millions of tries, the attacker uses statistical analysis to infer secret key parts.

Here’s a simple pseudocode showing what the vulnerable code might do

int rsa_decrypt(const unsigned char *input, unsigned char *output, RSA_KEY *key) {
    // ... setup ...
    // Vulnerable section: time taken depends on properties of 'input'
    for (int i = ; i < key->len; i++) {
        if (some_expensive_check(input[i], key->secret[i])) {
            // Extra time taken here...
            output[i] = do_decrypt(input[i], key->secret[i]);
        }
    }
    // ... rest of code ...
    return ;
}

Safe code would avoid data-dependent branches or extra time, making it impossible to tell anything about the key.

For a detailed explanation, see this Timing Attacks Explained article.

An attacker

1. Needs a network position that allows them to interact with the vulnerable application (like a website, SSL server, or encrypted mail process).

Eventually reconstructs enough information to recover the RSA private key.

Once the key is exposed, the attacker can impersonate the victim, decrypt protected messages, or sign code/emails as the victim.

Note: This bug is only relevant when RSA decryption is performed with potentially attacker-supplied data.

A Real-World Example

Suppose you are running an HTTPS server using Firefox or Thunderbird components, and you’re using RSA certificates for TLS. A remote attacker could use CVE-2023-5388 to recover your private key and decrypt past or future traffic (if you haven’t enabled Perfect Forward Secrecy).

Exploit Details

While no public exploits are available at the time of writing (for ethical reasons), the theoretical exploit would involve:

Measuring decryption response times with high precision.

- Using known timing attack techniques, such as those described in the Bleichenbacher attack or RSA PKCS#1 v1.5 Timing Attack.

Here’s a Python snippet demonstrating how an attacker might time requests

import time
import socket

def send_probe(server_ip, probe_data):
    s = socket.create_connection((server_ip, 443))
    start = time.time()
    s.sendall(probe_data)
    response = s.recv(4096)
    end = time.time()
    s.close()
    return end - start

timings = []
for probe in probe_list:
    timing = send_probe('target.server.com', probe)
    timings.append(timing)
# Analyze timings with numpy for statistical biases

Disclaimer: This snippet is for educational purposes only.

Mitigation and Solution

Are You Vulnerable?

You use server software linked against a vulnerable NSS library (< 3.98).

How to Fix:

- Update immediately to the latest versions

- Firefox Download
- Thunderbird Download
- NSS Releases and Advisory
- If you run your own NSS builds, apply the official patch.

Conclusion

CVE-2023-5388 is a reminder that cryptographic vulnerabilities are not always about “breaking the math”—subtle implementation bugs, like timing side-channels, can be just as dangerous. If you’re using any product built with vulnerable NSS, update now.

For more geeky details, check out these original resources

- Mozilla Security Advisory 2024-10
- NSS Bugzilla - Bug 1857715
- National Vulnerability Database: CVE-2023-5388

Timeline

Published on: 03/19/2024 12:15:07 UTC
Last modified on: 11/14/2024 22:35:01 UTC