OpenSSL Security Advisory

Sam Roberts vieuxtech at gmail.com
Tue Apr 21 19:46:43 UTC 2020 

The announcement claims that this affects SSL_check_chain().

Is that an exhaustive list? If an application does NOT call that
function, does this mean the vulnerability is not exploitable?

I ask because the the fixed function tls1_check_sig_alg is called by
tls1_check_chain, and that is called directly by SSL_check_chain, but
it is also called by tls1_set_cert_validity, and that is called from
inside the tls state machine, but with different parameters, so its a
bit hard to see if it is affected or not.

Thanks,
Sam

On Tue, Apr 21, 2020 at 6:26 AM OpenSSL <openssl at openssl.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> OpenSSL Security Advisory [21 April 2020]
> =========================================
>
> Segmentation fault in SSL_check_chain (CVE-2020-1967)
> =====================================================
>
> Severity: High
>
> Server or client applications that call the SSL_check_chain() function during or
> after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
> result of incorrect handling of the "signature_algorithms_cert" TLS extension.
> The crash occurs if an invalid or unrecognised signature algorithm is received
> from the peer. This could be exploited by a malicious peer in a Denial of
> Service attack.
>
> OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This
> issue did not affect OpenSSL versions prior to 1.1.1d.
>
> Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g
>
> This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
> 2020. It was found using the new static analysis pass being implemented in GCC,
> - -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
> Kaduk.
>
> Note
> =====
>
> This issue did not affect OpenSSL 1.0.2 however these versions are out of
> support and no longer receiving public updates. Extended support is available
> for premium support customers: https://www.openssl.org/support/contracts.html
>
> This issue did not affect OpenSSL 1.1.0 however these versions are out of
> support and no longer receiving updates.
>
> Users of these versions should upgrade to OpenSSL 1.1.1.
>
> References
> ==========
>
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv/20200421.txt
>
> Note: the online version of the advisory may be updated with additional details
> over time.
>
> For details of OpenSSL severity classifications please see:
> https://www.openssl.org/policies/secpolicy.html
> -----BEGIN PGP SIGNATURE-----
>
> iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e8uwACgkQ2cTSbQ5g
> RJHHRgf+J8iVBuK6EoOvf9xm9geiDgYVFse9ckMXH92gdGbwsW4uhTNk9fCyNC+t
> vsf6YGT6nKJarB5+N+LC4QB7VLo/DjlYcN9zP3mubV0eEyKHSoW6tDOWPpJ0gsbt
> 2Z9iTA4GnofvhBcWLiPGgv4IUHknsOaPkRmEppSF0fDTSKuYOerfNRh9jTKHulis
> Ph6dCOXE3kb5HfMwVj3UN2sP92XTig4FzpIQaZ1/2jKZaRXtzJD7pvu1fDCTkUGl
> aeta5jHNypYyRKJLuJ1+1DiBtbWTFAWMUCHlkg/kgdU4hIl/lo3vgAyFs/9mQxZQ
> vj2rIjoJHRj0EXqXhHoABqBHedilJQ==
> =AXyP
> -----END PGP SIGNATURE-----

More information about the openssl-users mailing list