On December 8, 2020, OpenSSL issued a security update for a high severity DoS vulnerability that affects the open-source project. As reported by David Benjamin of Google, this vulnerability impacts all versions of 1.0.2 and 1.1.1 delivered before 1.1.1i.
Meanwhile, Infrastructure Security Agency (CISA) and U.S. DHS Cybersecurity encouraged users and administrators to upgrade their vulnerable OpenSSL instances without delay.
The Main Driver of the Vulnerability
In the encryption library’s GENERAL_NAME_cmp function, a NULL pointer dereference vulnerability was recognized. This high-risk vulnerability is followed as CVE-2020-1971.
As we know, X.509 SSL certificates utilize the GeneralName type in different places to speak to various sorts of names. When these certificates have to be approved, OpenSSL utilizes the GENERAL_NAME_cmp function to relate two GeneralName fields.
In the comparison, if both fields contain that GeneralName object, the NULL pointer dereferencing bug can crash OpenSSL. However, OpenSSL Security Advisory released a patch to overcome this vulnerability. The critical level is the only level higher than this and usually occurs once in 5 years.
How Is OpenSSL Vulnerability Exploitable?
The objective of the GENERAL_NAME_cmp function is twofold. It is used to compare:
- CRL distribution point names between the X.509 certificate CRL distribution point and the existing CRL downloaded using the “-crl_download” option.
- The timestamp authority name to the timestamp response token signer.
Using malicious X.509 or maliciously crafted CRLs certificates, an attacker can crash the system if it can control both parameters getting compared.
An attacker may send maliciously created factors to the GENERAL_NAME_cmp function in the presence of this vulnerability left unpatched. As a result, it can crash the system causing a denial-of-service (DoS) condition. From this vulnerability, the highest threat is to system availability.
Who Is Safe?
Since CentOS 6 has already reached the end of life, the CentOS 7 and 8 versions of OpenSSL will receive the patch. Thereby, hackers will focus on this CVE specifically since they realize many organizations are no longer getting security updates for CentOS 6.
The update should take place to the latest 1.1.1i or 1.0.2x version of any servers using OpenSSL versions: 1.1.1-1.1.1h and 1.0.2-1.0.2w. General users of 1.1.1 and 1.0.2 can upgrade to the 1.1.1i version. On the other hand, only premium users of 1.0.2 have been provided with the fixed 1.0.2x version.
Developers should also patch the encryption library that uses OpenSSL as a dependency, specifically if they apply s_client, s_server, and verify tools for certificates. In their functionality, all these tools use GENERAL_NAME_cmp.
Keeping your system updated with the latest updates and patches is essential when a slight overlooking can end up crashing or threatening system availability. Consult our cybersecurity advisory and consulting services to effectively deal with evolving cyber threats.