The OpenSSL Project released security patches to address three vulnerabilities, two denial-of-service (DoS) flaws, and an incorrect SSLv2 rollback protection issue.
The fist vulnerability, tracked as CVE-2021-23841, is a NULL pointer dereference issue that can be exploited to cause a crash and trigger a DoS condition. The security advisory states that the X509_issuer_and_serial_hash function is never called directly by OpenSSL itself, which means it only impacts applications that invoke the function directly while managing certificates obtained from untrusted sources.
“The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.” reads the advisory.
The issue has been rated ‘moderate’ in severity, it affects OpenSSL versions 1.1.1i and below. Users should upgrade to version 1.1.1j. OpenSSL versions 1.0.2x and below are also affected by this issue.
The vulnerability was reported by the popular Google Project Zero expert Tavis Ormandy on 15th December 2020, and Matt Caswell fixed it.
OpenSSL also addressed a low-severity integer overflow vulnerability in CipherUpdate tracked as CVE-2021-23840 that could be exploited to cause a crash.
The bug, tracked as CVE-2021-23840, was identified by Paul Kehrer.
“Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.” reads the advisory.
Versions 1.1.1i and below are affected by this issue along with versions 1.0.2x and below.
The third issue is a low-severity flaw, tracked as CVE-2021-23839, it is an incorrect SSLv2 rollback protection.
The flaw was reported to OpenSSL Project on 21st January 2021 by D. Katz and Joel Luellwitz from Trustwave.
The issue affects servers using OpenSSL 1.0.2 which are vulnerable to SSL version rollback attacks.
In 2010, the Open SSL project addressed three vulnerabilities, including two DDoS issues rated high severity.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, encryption)