OpenSSL, the most widely used software library for implementing website and email encryption, has patched a very serious vulnerability that makes it easy for hackers to completely shut down large numbers of servers.
OpenSSL provides proven cryptographic capabilities that implement the Transport Layer Security protocol, the successor to Secure Sockets Layer that encrypts data flowing between Internet servers and end users. People who develop applications that use TLS rely on OpenSSL to save time and avoid programming errors that often occur when non-cryptographers build applications that use complex encryption.
The critical role OpenSSL plays in Internet security came into full view when hackers began exploiting a critical vulnerability in the open source code library that allowed them to steal encryption keys, customer information and other sensitive data from servers around the world. Heartbleed, as the security flaw was called, showed how a few lines of erroneous code could topple the security of banks, news sites, law firms, and more.
Denial-of-service bug squashed
On Thursday, OpenSSL administrators revealed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, since the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic Engineer Filippo Valsorda said on Twitter that the error could probably have been discovered sooner than now.
“Anyway, it sounds like you can crash most OpenSSL servers on the internet these days,” he added.
CVE-2021-3449 looks like it could have been easily found if someone figured out how to fuzz renegotiation, but renegotiation is sadness.
Anyway, it sounds like you can crash most OpenSSL servers on the internet today.
— Filippo Valsorda (@FiloSottile) March 25, 2021
Hackers could exploit the vulnerability by sending a server a maliciously crafted renegotiation request during the first handshake that establishes a secure connection between an end user and a server.
“An OpenSSL TLS server could crash if it sends a maliciously crafted renegotiation ClientHello message from a client,” administrators wrote in an advisory. “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the original ClientHello), but includes a signature_algorithms_cert extension, a NULL pointer reference will result, leading to a crash and a denial of service attack.”
The administrators rated the severity as high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the solution.
Certificate Verification Bypass
OpenSSL also fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that are not digitally signed by a browser-trusted certificate authority. The vulnerability, maintained as CVE-2021-3450, involves the interplay between an X509_V_FLAG_X509_STRICT flag in the code and various parameters.
Thursday’s advice stated:
If a “target” is configured, there is another option to verify that the certificate is a valid CA. All mentioned “target” values implemented in libcrypto perform this check. Therefore, when a target is set, the certificate chain will still be rejected even if the strict flag is used. A target is set by default in the libssl client and server certificate authentication routines, but it can be overridden or removed by an application.
To be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT authentication flag and not set a target for the certificate authentication or, in the case of TLS client or server applications, override the default target.
OpenSSL versions 1.1.1h and newer are vulnerable. OpenSSL 1.0.2 is not affected by this issue. Akamai researchers Xiang Ding and Benjamin Kaduk respectively discovered and reported the bug. It was patched by Tomáš Mráz, a software developer who has a contract with OpenSSL Software Services.
Apps using a vulnerable OpenSSL version should upgrade to OpenSSL 1.1.1k as soon as possible.