The OpenSSL Project has taken immediate action to safeguard its users by releasing critical fixes to address several severe security vulnerabilities in its open-source encryption toolkit. One such vulnerability, tracked as CVE-2023-0286, is a high-severity bug that could potentially put users at risk of malicious attacks.
According to the advisory issued by the maintainers, the vulnerability stems from a type of confusion issue that could allow adversaries to read memory contents or cause a denial-of-service attack. The vulnerability lies in the way the widely-used cryptographic library processes X.509 certificates and is only likely to impact applications that have a custom implementation for retrieving certificate revocation lists (CRL) over a network.
However, OpenSSL warns that the attack can only be successful if the attacker has control over both the certificate chain and the CRL, neither of which need to have a valid signature. In the rare scenario where the attacker only has control over one input, the other input must already contain an X.400 address as a CRL distribution point.
Type confusion flaws can have devastating consequences, as they can be leveraged to deliberately manipulate the program’s behavior, leading to crashes or code execution. The good news is that the issue has been patched in the latest versions of OpenSSL, including 3.0.8, 1.1.1t, and 1.0.2zg.
In addition to the high-severity bug, the latest updates address several other security shortcomings, including X.509 name constraints. Read Buffer Overflow, Timing Oracle in RSA Decryption, Double free after calling PEM_read_bio_ex; use-after-free following BIO_new_NDEF; invalid pointer dereference in d2i_PKCS7 functions; NULL dereference validating the DSA public key; and NULL dereference during PKCS7 data verification.
The exploitation of these vulnerabilities could result in application crashes, disclosure of memory contents, and even compromise encrypted messages sent over a network through a timing-based side-channel attack known as a Bleichenbacher-style attack.
It is imperative that users of OpenSSL upgrade to the latest patched versions protect themselves from these security threats. The release of these fixes follows OpenSSL’s plugging of a low-severity flaw (CVE-2022-3996) that arose when processing X.509 certificates and caused a denial-of-service condition. Act now to safeguard your information and secure your online presence with OpenSSL’s latest security updates.