OpenSSL CRL Verification Vulnerability
Overview:
SonicWall Capture Labs Threat Research Team has observed the following threat:
Public Key Infrastructure (PKI) is a comprehensive framework for managing digital certificates and cryptographic keys, serving as the foundation for secure communication over the internet. PKI comprises of several components, such as Certificate Authorities (CAs), registration authorities, and end-user systems, all working together to create, distribute, store, and manage digital certificates. OpenSSL is an open-source software library that supports the implementation of PKI by providing a robust set of cryptographic functions, including the generation and management of digital certificates and keys, as well as secure communication protocols.
Transport Layer Security (TLS) is a cryptographic protocol designed to ensure privacy and data integrity between applications communicating over a network. TLS relies on digital certificates, which follow the X.509 standard, to authenticate the identities of communicating parties and establish secure connections. The X.509 standard has evolved through different versions, with each enhancing the functionality of the previous one. The most widely used version is X.509 v3, which supports extensions for additional certificate features. Certificate Revocation Lists (CRLs) are a crucial aspect of maintaining the integrity of PKI, as they contain information about digital certificates that have been revoked, allowing applications to verify the trustworthiness of certificates before establishing secure connections.
Abstract Syntax Notation One (ASN.1) is a language used for describing data structures that can be represented, encoded, transmitted, and decoded in a platform-independent manner. ASN.1 plays a significant role in defining the structure of X.509 certificates and CRLs, enabling their consistent interpretation across different systems. Distinguished Encoding Rules (DER) is a subset of ASN.1 that provides a specific, unambiguous encoding for these data structures. DER ensures that any given ASN.1-defined data structure has a unique binary representation, which is essential for the proper functioning of cryptographic processes, such as digital signature verification. Together, ASN.1 and DER contribute to the seamless and secure exchange of information across networks and systems.
The GeneralName structure is defined using ASN.1 notation and consists of several types of names and identifiers, including:
01. otherName: Represents an application-specific name, defined as an object identifier (OID) and a value.
02. rfc822Name: Represents an email address.
03. dNSName: Represents a domain name.
04. x400Address: Represents an X.400 address, used in a specific type of email system.
05. directoryName: Represents a distinguished name (DN) in the X.500 directory format.
06. ediPartyName: Represents an Electronic Data Interchange (EDI) party name.
07. uniformResourceIdentifier (URI): Represents a Uniform Resource Identifier, such as a URL or URN.
08. ipAddress: Represents an IP address, either in IPv4 or IPv6 format.
09. registeredID: Represents an object identifier (OID) registered to a specific entity.
A type confusion vulnerability has been reported in OpenSSL. The vulnerability is due to improper X.400 address processing inside an X.509 GeneralName structure.
A remote attacker could exploit the vulnerability by sending crafted traffic to the target system. Successful exploitation could result in denial of service or sensitive information disclosure.
CVE Reference:
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0286.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 5.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C).
Base score is 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is high.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is low.
• Impact of this vulnerability on data integrity is none.
• Impact of this vulnerability on data availability is high.
Temporal score is 5.7 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
Technical Overview:
The type confusion vulnerability in OpenSSL arises from its handling of certificate verification with Certificate Revocation Lists (CRLs). During the SSL certificate verification process, the check_cert() method is called, and if the certificate contains a CRL Distribution Point extension with the X509_V_FLAG_CRL_CHECK flag set, the crl_crldp_check() function is executed.
This function iterates through each Distribution Point in the certificate’s X.509 SEQUENCE, calling the idp_check_dp() function to compare the fullName with the one from the CRL. The process eventually calls the GENERAL_NAME_cmp() function to compare values from the X.509 certificate and the CRL. If the name utilizes the x400Address choice in the GeneralName, it calls the ASN1_TYPE_cmp() function for comparison. However, this function fails to validate the data payload before invoking ASN1_STRING_cmp(), leading to the use of arbitrary pointers in a memcmp call.
Exploiting this vulnerability requires a remote attacker to provide both a malicious certificate and a malicious CRL. A successful attack can lead to a denial-of-service condition or the disclosure of memory content, which poses a significant risk to the security and stability of systems relying on OpenSSL for secure communications. Both TLS client and server applications are vulnerable, emphasizing the need for developers and administrators to take prompt action to address the issue.
Triggering the Problem:
• The target must be running a vulnerable version of the affected product.
• The attacker must have a malicious leaf certificate and a malicious CRL.
• The target must trust the malicious CRL to verify the malicious leaf certificate.
Triggering Conditions:
The attacker must be able to deliver a malicious certificate and a malicious CRL to the affected applications using OpenSSL library. The vulnerability is triggered when the CRL is used to verify the malicious certificate.
Attack Delivery:
The following application protocols can be used to deliver an attack that exploits this vulnerability:
• TLS
• DTLS
• FTP
• HTTP
• HTTPS
• IMAP
• NFS
• POP3
• SMB/CIFS
• SMTP
• SMTPS
• SIPS
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 18961 OpenSSL X.400 Address Type Confusion 3
Remediation Details:
The risks posed by this vulnerability can be mitigated or eliminated by:
• Apply the vendor-provided patch to eliminate the vulnerability.
• Filter attack traffic using the signature above.
The vendor has released the following advisory regarding this vulnerability:
Vendor Advisory