After the busy week with PoC, DoS is coming.
Two critical OpenSSL vulnerabilities released yesterday and I just see them in my mailbox.
In CVE-2021-3449, a denial-of-service condition exists in the default renegotiation configuration of TLSv1.2, can be triggered by malicious ClientHello requests. This means all the internet-facing systems are potentially be targeted with this hard-to-detect (but easy to assess) application level attack. This attack can be triggered by NULL pointer de-reference if renegotiation is enabled (in TLSv1.2 only), and can be assessed with SSLScan:
 |
| CVE-2021-2449 |
In CVE-2021-2450, a high severity vulnerability, is a CA certificate check bypass issue where the "valid CA certificate check result" can be overwritten. In another word the "check that ensuring non-CA certificates must not be able to issue other certificates" can be bypassed.
This is a new feature introduced since 1.1.1h, and thus only affecting this version. Upgrade to 1.1.1k version to fix the issue, and run the following command to check the version:
$ openssl version -a
Links:
- https://attackerkb.com/topics/DMtqBir1bn/openssl-tls-server-crash-null-pointer-dereference-cve-2021-3449#rapid7-analysis
- https://attackerkb.com/topics/3R2Ftv4qHX/cve-2021-3450#rapid7-analysis
- https://www.openssl.org/news/secadv/20210325.txt