OpenSSL has released a Security Advisory [on 8th of December 2020] regarding the vulnerability CVE-2020-1971 which is called EDIPARTYNAME NULL pointer de-reference.
What is the vulnerability?
X.509 digital certificate’s GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName.
.png
)
OpenSSL’s function GENERAL_NAME_cmp compares different instances of a GENERAL_NAME to see if they are equal or not.
It is found that this operation malfunctions when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer de-reference and a crash may occur leading to a possible denial of service attack which is illustrated in gbhackers.
Risk assignment:
If an attacker controls the functions of the GENERAL_NAME_cmp, he can crash the entire system.
This GENERAL_NAME_cmp is used for the below two main purposes:
1) GENERAL_NAME_cmp compares the CRL distribution point names between an available CRL and a CRL (where CRL is the Certificate Revocation list)distribution point embedded in an X509 certificate
2) GENERAL_NAME_cmp verifies whether a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token)
Suppose if the attacker tricks a client machine or a server machine to check for a malicious certificate against a malicious CRL, then Attacker can exploit this and cause denial of service attack . It is also to be noted that some applications automatically download CRLs based on a URL embedded in a certificate. OpenSSL’s s_server, s_client and verify tools have support for the “-crl_download” option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools.
Affected versions:
- OpenSSL 1.1.1 and 1.0.2
- This is not yet tested on the unsupported versions yet
Proposed advise:
- OpenSSL 1.1.1 users are advised to upgrade to 1.1.1i with immediate effect.
- Premium support customers of OpenSSL 1.0.2 have been asked to upgrade to 1.0.2x also other users are requested to upgrade to OpenSSL 1.1.1i right away.
