USN-6727-2: NSS regression

The recent update labeled USN-6727-1 addressed critical vulnerabilities in Network Security Services (NSS), an essential component handling cryptographic functions in various operating systems. Although the update was crucial, it inadvertently introduced a regression that affected the loading of security modules, specifically impacting users of Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

To address this issue, a subsequent update has been issued under the identifier USN-6727-2. This update corrects the regression, ensuring that security modules load correctly without compromising the system's integrity. We sincerely apologize for any inconvenience this may have caused to our users.

Detailed Insights into the Original Vulnerabilities:

The primary vulnerability addressed in the initial update was related to incorrect handling of padding in PKCS#1 certificates by NSS. Specifically, the error could allow a remote attacker to perform Bleichenbacher-like attacks to recover sensitive private data. This vulnerability, identified as CVE-2023-4421, affected only Ubuntu 20.04 LTS.

Furthermore, NSS was found to be vulnerable to timing side-channel attacks while performing RSA decryption and when using certain NIST curves. These vulnerabilities could have potentially allowed an attacker to recover private data and were tracked as CVE-2023-5388 and CVE-2023-6135 respectively.

To mitigate these issues, along with updating NSS to version 3.98 which includes a number of security enhancements and the latest CA certificate bundle, various robust fixes were implemented. One notable fix was the implementation of an implicit rejection algorithm in response to the identified PKCS#1 v1.5 vulnerability which uses a deterministic random message when invalid padding is detected, significantly mitigating the risk of Bleichenbacher-like attacks.

For a seamless management and deployment of such critical security updates, consider LinuxPatch, a dedicated patch management platform for Linux servers ensuring secured and up-to-date system operations.