The OpenSSL Project released a security update for OpenSSL that patches a high-severity vulnerability, tracked as CVE-2020-1967, that can be exploited by attackers to launch denial-of-service (DoS) attacks. This is the first issue addressed in OpenSSL in 2020.
The CVE-2020-1967 vulnerability has been described as a “segmentation fault” in the SSL_check_chain function.
“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory published by the OpenSSL Project.
“The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.”
The vulnerability affects OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the release of version 1.1.1g.
The organization pointed out that older versions 1.0.2 and 1.1.0 are not affected by the vulnerability.
This vulnerability was discovered by Bernd Edlinger and reported to OpenSSL on 7th April 2020, the researchers found the issue by using the new static analysis pass being implemented in the GNU Compiler Collection (GCC) static code analyzer. The security duo Matt Caswell and Benjamin Kaduk performed additional analyses.
“This issue did not affect OpenSSL 1.0.2 however these versions are out of support and no longer receiving public updates.” continues the advisory. “Extended support is available for premium support customers:
“This issue did not affect OpenSSL 1.1.0 however these versions are out of support and no longer receiving updates. Users of these versions should upgrade to OpenSSL 1.1.1.”
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – CVE-2020-1967, hacking)