Recently, the OpenSSL Project released a security update for OpenSSL that patches a high-severity vulnerability, tracked as CVE-2020-1967, that can be exploited by attackers to launch denial-of-service (DoS) attacks.
The CVE-2020-1967 vulnerability has been described as a “segmentation fault” in the SSL_check_chain function, it is the first issue addressed in OpenSSL in 2020.
“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory published by the OpenSSL Project.
“The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.”
The vulnerability affects OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the release of version 1.1.1g. The vulnerability doesn’t affect older versions 1.0.2 and 1.1.0.
This flaw was discovered by Bernd Edlinger and reported to OpenSSL on 7th April 2020, the researchers found the issue by using the new static analysis pass being implemented in the GNU Compiler Collection (GCC) static code analyzer. The security duo Matt Caswell and Benjamin Kaduk performed additional analyses.
“This issue did not affect OpenSSL 1.0.2 however these versions are out of support and no longer receiving public updates.” continues the advisory. “Extended support is available for premium support customers:
“This issue did not affect OpenSSL 1.1.0 however these versions are out of support and no longer receiving updates. Users of these versions should upgrade to OpenSSL 1.1.1.”
News of the day is that the security researcher Imre Rad has published a PoC exploit code for the CVE-2020-1967, he also provided technical details on the way on how to exploit it.
The exploitation is quite simple, an attacker could trigger a DoS condition by sending a specially crafted payload to the vulnerable server. The flaw could be also exploited through a man-in-the-middle (MitM) attack or by setting up a malicious TLS server and tricking a vulnerable client to connect to it.
“To exploit this vulnerability, a crafted signature_algorithms_cert TLS extension needs to be submitted as part of the Hello message. I used a patched version of the openssl library to build such a client; the server is the built-in s_server openssl app, along with the -x options to activate the code path that invokes SSL_check_chain.” reads the description published on GitHub.
Some organizations are already assessing their products using the OpenSSL to address them, IBM has fixed the flaw in the MessageGateway.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – OpenSSL, hacking)