The OpenSSL project has released fixes to address several security flaws, including a high-severity bug in the open source cryptographic toolkit that could expose users to malicious attacks.
tracked as CVE-2023-0286The issue relates to cases of type confusion that could allow an adversary to “read the contents of memory or perform a denial of service,” the maintainer said in the advisory. increase.
The vulnerability is rooted in the way popular cryptographic libraries handle X.509 certificates and only affects applications with custom implementations for retrieving Certificate Revocation Lists (CRLs) over the network. may give.
“In most cases, the attack requires the attacker to provide both the certificate chain and the CRL, neither of which need to have valid signatures,” OpenSSL said. “If an attacker only controls her one of these inputs, the other input should already contain her X.400 address as her CRL distribution point, but this It’s not common.”
Type confusion flaws can have serious consequences. It can be weaponized to cause a program to behave in an intentionally unintended way, causing crashes or code execution.
This issue is fixed in OpenSSL versions 3.0.8, 1.1.1t, and 1.0.2zg. Other security flaws addressed as part of the latest update include:
- CVE-2022-4203 – X.509 name constraint read buffer overflow
- CVE-2022-4304 – Oracle timing for RSA decryption
- CVE-2022-4450 – double free after calling PEM_read_bio_ex
- CVE-2023-0215 – Use after free following BIO_new_NDEF
- CVE-2023-0216 – Invalid pointer dereference in d2i_PKCS7 function
- CVE-2023-0217 – NULL dereference to verify DSA public key
- CVE-2023-0401 – NULL dereference during PKCS7 data validation
Successful exploitation of the above shortcomings can lead to application crashes, disclosure of memory contents, and even recovery of plaintext messages sent over the network. This is done by utilizing timing-based side-channels in Breichenbacher-style attacks.
Almost two months after plugging in a low-severity flaw (CVE-2022-3996) that caused a denial of service condition in OpenSSL’s handling of X.509 certificates, a fix has arrived .
