Pierluigi Paganini December 08, 2020

The OpenSSL Project disclosed a serious security vulnerability in TLS/SSL toolkit that exposes users to denial-of-service (DoS) attacks.

The OpenSSL Project warned of a ‘high-severity’ security vulnerability in the TLS/SSL toolkit that exposes users to denial-of-service (DoS) attacks.

The flaw is a null pointer dereference, successful exploitation could trigger denial-of-service conditions. The vulnerability was reported by Google researcher David Benjamin.

“The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not.” reads the alert published by OpenSSL Project. “This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.”

The flaw stems from the GENERAL_NAME_cmp function which compares different instances of a GENERAL_NAME using in X.509 certificates.

The GENERAL_NAME_cmp function is used for the following purposes:

1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate

2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)

An attacker could trigger a clash by controlling both items being compared, this is possible, for example, if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL. 

The flaw affects all OpenSSL 1.1.1 and 1.0.2 versions, users are urged to upgrade to OpenSSL 1.1.1i. 

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

[adrotate banner=”5″]

[adrotate banner=”13″]