Wednesday, May 14, 2025
HomeCyber Security NewsOpenSSL Flaw Would Allow Attackers to Cause a denial-of-service Condition

OpenSSL Flaw Would Allow Attackers to Cause a denial-of-service Condition

Published on

SIEM as a Service

Follow Us on Google News

OpenSSL has released a Security Advisory [on 8th of December 2020] regarding the vulnerability CVE-2020-1971 which is called EDIPARTYNAME NULL pointer de-reference.

What is the vulnerability?

X.509 digital certificate’s GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName.

- Advertisement - Google News

OpenSSL’s function GENERAL_NAME_cmp compares different instances of a GENERAL_NAME to see if they are equal or not.

It is found that this operation malfunctions when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer de-reference and a crash may occur leading to a possible denial of service attack which is illustrated in gbhackers.

Risk assignment:

If an attacker controls the functions of the GENERAL_NAME_cmp, he can crash the entire system.

This GENERAL_NAME_cmp is used for the below two main purposes:

1) GENERAL_NAME_cmp compares the CRL distribution point names between an available CRL and a CRL (where CRL is the Certificate Revocation list)distribution point embedded in an X509 certificate

2) GENERAL_NAME_cmp verifies whether a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)

Suppose if the attacker tricks a client machine or a server machine to check for a malicious certificate against a malicious CRL, then Attacker can exploit this and cause denial of service attack . It is also to be noted that some applications automatically download CRLs based on a URL embedded in a certificate. OpenSSL’s s_server, s_client and verify tools have support for the “-crl_download” option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools.

Affected versions:

  • OpenSSL 1.1.1 and 1.0.2
  • This is not yet tested on the unsupported versions yet

Proposed advise:

  • OpenSSL 1.1.1 users are advised to upgrade to 1.1.1i with immediate effect.
  • Premium support customers of OpenSSL 1.0.2 have been asked to upgrade to 1.0.2x also other users are requested to upgrade to OpenSSL 1.1.1i right away.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...

New Adobe Photoshop Vulnerability Enables Arbitrary Code Execution

Adobe has released critical security updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...