Mar 26, 2021

Two OpenSSL Vulnerabilities for this week

After the busy week with PoC, DoS is coming. 

Two critical OpenSSL vulnerabilities released yesterday and I just see them in my mailbox.

In CVE-2021-3449, a denial-of-service condition exists in the default renegotiation configuration of TLSv1.2, can be triggered by malicious ClientHello requests. This means all the internet-facing systems are potentially be targeted with this hard-to-detect (but easy to assess) application level attack. This attack can be triggered by NULL pointer de-reference if renegotiation is enabled (in TLSv1.2 only), and can be assessed with SSLScan:

CVE-2021-2449

In CVE-2021-2450, a high severity vulnerability, is a CA certificate check bypass issue where the "valid CA certificate check result" can be overwritten. In another word the "check that ensuring non-CA certificates must not be able to issue other certificates" can be bypassed.

This is a new feature introduced since 1.1.1h, and thus only affecting this version. Upgrade to 1.1.1k version to fix the issue, and run the following command to check the version:

$ openssl version -a

Links:

  • https://attackerkb.com/topics/DMtqBir1bn/openssl-tls-server-crash-null-pointer-dereference-cve-2021-3449#rapid7-analysis
  • https://attackerkb.com/topics/3R2Ftv4qHX/cve-2021-3450#rapid7-analysis
  • https://www.openssl.org/news/secadv/20210325.txt