The Advanced Threat Research (ATR) team at Intel Security and Antoine Delignat-Lavaud (INRIA Paris, PROSECCO) have discovered a critical vulnerability in the Mozilla NSS crypto library. This vulnerability (dubbed “BERserk”) allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites (SSL/TLS). Authentication mechanisms within firmware, on specific devices, may be compromised as well, allowing attackers to compromise the integrity of software on the device.

Attack Detail

This is a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability (CVE-2006-4339, Due to an incorrect check on signature padding, this new attack variant allows for RSA signatures to be successfully forged without knowledge of the corresponding RSA private key. Attackers are able to “man-in-the-middle” connections that are assumed to be secure (via SSL) allowing them to monitor and intercept data transmitted over that session.

The attack exploits a vulnerability in the parsing of an ASN.1 encoded sequence during signature verification. ASN.1 encoded sequences are made up of objects that are encoded using BER and/or DER. This attack exploits the fact that bytes are skipped during parsing of certain fields. This condition enables the attack.

Part one of our technical analysis of the “BERserk” vulnerability is now available. This first part is not vendor or library specific. Rather, we are providing generic guidance in an effort to allow developers to avoid these issues in future implementations. We will continue the next part of our analysis with specifics on the Mozilla NSS library.

Download the paper


Update: October 6, 2014 — Part two of our analysis is now available. This update explores the specifics of the attack against Mozilla NSS.

Download part two of the paper



An attacker can forge/spoof the authentication between an end-user and their bank website. In such a “man-in-the-middle” scenario, all personal data communicated in the browser session can be intercepted and/or compromised. Both integrity and confidentiality of the data exchanged in that session are at risk. A picture below illustrates this attack against SSL/TLS digital certificates.

The following screenshot demonstrates that SSL/TLS digital certificates (RSA-2048 with SHA-1) are successfully forged using this vulnerability and validated by latest version of Mozilla Firefox web browser.



Additional Q&A

Why is it named BERserk?

This issue is named “BERserk” because the vulnerability is enabled by the incorrect parsing of certain BER (Basic Encoding Rules) encoded sequences in the implementation of RSA signature verification.

Is this being exploited in-the-wild?

While Intel Security is unaware of any attacks exploiting BERserk, we strongly advise individuals and organizations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla.

Additional References

Related Vulnerabilities

The Intel ATR team has been reviewing other crypto libraries for related problems and has found that some other libraries are affected by similar vulnerabilities. Intel PSIRT and CERT/CC continues coordination with the developers of affected crypto libraries under VU#772676.

In one particular example, we worked closely with WolfSSL and a patch was released for WolfSSL CyaSSL crypto library (CyaSSL 3.2.0) on September 10, 2014. Further details can be found at:

As details become available regarding fixes in other crypto libraries we will be providing more information.

Advanced Threat Research

Intel Security’s Advanced Threat Research team performs vulnerability research in order to lead in ubiquitous security. Increasingly, people around the world depend on technology for their daily activities. Making this technology trustworthy involves a deep understanding of how attacks work. By researching security vulnerabilities, this team discovers cutting-edge ways to help Intel Security lead the way in securing technology.

Learn more about us