CVE-2024-11705 is a vulnerability in the NSC_DeriveKey function, which is part of the Network Security Services (NSS) libraries used by Mozilla Firefox and Thunderbird. The issue stems from an incorrect assumption that the phKey parameter is always non-NULL. When this parameter is passed as NULL, a segmentation fault (SEGV) occurs, causing crashes in the affected applications. This behavior is in conflict with the PKCS#11 v3. specification, which allows phKey to be NULL for certain mechanisms. Firefox versions prior to 133 and Thunderbird versions prior to 133 are affected by this vulnerability.

Here's the part of the NSC_DeriveKey function where the NULL pointer dereference occurs

CK_RV
NSC_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
              CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
              CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) {
    
    // ...
    
    if (!hSession || !pMechanism || !phKey) {
        return CKR_ARGUMENTS_BAD;
    }
    
    // ...

    // phKey is assumed to be non-NULL, causing a segmentation fault
    *phKey = nss_ckmk_CreateKeyObject(hSession, object_class, key_type, …);
}

1. Mozilla Security Advisory for Firefox - MFSA2024-33
2. Mozilla Security Advisory for Thunderbird - MFSA2024-34
3. The PKCS#11 v3. specification - Section 12.7.1

Exploit Details

Given that this vulnerability leads to segmentation faults and subsequent crashes, it could be exploited by an attacker to cause denial of service (DoS) attacks against the affected applications. To exploit this vulnerability, an attacker would have to craft a scenario where the NSC_DeriveKey function is invoked with a NULL phKey parameter. This would lead to the segmentation fault, as shown in the code snippet above.

Users are advised to update their Firefox and Thunderbird installations to version 133 or later to mitigate the risk posed by this vulnerability.

Please note that the actual exploit details might be more complex than what's described here and might involve multiple steps or additional vulnerabilities to successfully exploit this issue. This post is meant to raise awareness about the vulnerability and encourage updates and proper patch management.

Timeline

Published on: 11/26/2024 14:15:19 UTC
Last modified on: 11/27/2024 16:15:14 UTC