OpenSSL

The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks.

Tracked as CVE-2023-0286, the issue relates to a case of type confusion that may permit an adversary to "read memory contents or enact a denial-of-service," the maintainers said in an advisory.

The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list (CRL) over a network.

"In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature," OpenSSL said. "If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon."

Cybersecurity

Type confusion flaws could have serious consequences, as they could be weaponized to deliberately force the program to behave in unintended ways, possibly causing a crash or code execution.

The issue has been patched in OpenSSL versions 3.0.8, 1.1.1t, and 1.0.2zg. Other security flaws addressed as part of the latest updates include:

  • CVE-2022-4203 - X.509 Name Constraints Read Buffer Overflow
  • CVE-2022-4304 - Timing Oracle in RSA Decryption
  • CVE-2022-4450 - Double free after calling PEM_read_bio_ex
  • CVE-2023-0215 - Use-after-free following BIO_new_NDEF
  • CVE-2023-0216 - Invalid pointer dereference in d2i_PKCS7 functions
  • CVE-2023-0217 - NULL dereference validating DSA public key
  • CVE-2023-0401 - NULL dereference during PKCS7 data verification
Cybersecurity

Successful exploitation of the above shortcomings could lead to an application crash, disclose memory contents, and even recover plaintext messages sent over a network by taking advantage of a timing-based side-channel in what's a Bleichenbacher-style attack.

The fixes arrive nearly two months after OpenSSL plugged a low-severity flaw (CVE-2022-3996) that arises when processing an X.509 certificate, resulting in a denial-of-service condition.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.