Re: OpenSSL Security Advisory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday, 25 March 2021 15:03:24 CET, OpenSSL wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenSSL Security Advisory [25 March 2021]
=========================================

NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=====================================================================

Severity: High

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits 
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which 
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions 
should upgrade to OpenSSL 1.1.1k.

OpenSSL 1.0.2 is not impacted by this issue.

This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter Kästle and Samuel Sapalski from Nokia.


I've created a stand-alone reproducer for it using tlsfuzzer:

git clone https://github.com/tlsfuzzer/tlsfuzzer.git
cd tlsfuzzer
# won't be necessary after https://github.com/tlsfuzzer/tlsfuzzer/pull/748 is merged: 
git checkout sig-algs-tests

# install dependencies:
python3 -m venv py3-venv
py3-venv/bin/pip install --pre tlslite-ng

# run the reproducer:
PYTHONPATH=. py3-venv/bin/python3 scripts/test-sig-algs-renegotiation-resumption.py -h <hostname> -p <port> 


In case the server has renegotiation disabled, use the --no-renego option.
In case the server doesn't require presence of signature_algorithms extension when signature_algorithms_cert are present (like in case of OpenSSL 1.0.2), use the --sig-algs-drop-ok option. 

If everything went fine, and the server didn't crash, the test will print
summary like this:

====================
TOTAL: 12
SKIP: 0
PASS: 12
XFAIL: 0
FAIL: 0
XPASS: 0
====================

It's not necessary to install dependencies to a virtual environment,
but that setup is described in the official docs:
https://tlsfuzzer.readthedocs.io/en/latest/quickstart.html
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux