Bug 1823670 (CVE-2020-1967)

Summary: CVE-2020-1967 openssl: Segmentation fault in SSL_check_chain causes denial of service
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, cfergeau, chazlett, crypto-team, csutherl, darran.lofthouse, databases-maint, dciabrin, dkreling, dosoudil, elima, erik-fedora, fidencio, gzaronik, hhorak, iweiss, jawilson, jclere, jochrist, jorton, jperkins, jstanek, jwon, krathod, ktietz, kwills, lgao, ljavorsk, marcandre.lureau, mbabacek, mbayer, mcooper, mmuzila, mschorm, msiddiqu, msochure, msvehla, mturk, myarboro, nwallace, pjindal, pmackay, psotirop, redhat-bugzilla, rguimara, rh-spice-bugs, rjones, rstancel, rsvoboda, security-response-team, smaestri, tmraz, tom.jenkinson, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.1.1g Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the way OpenSSL handled certain TLS handshake messages. This flaw allows an unauthenticated attacker to cause a server application compiled with OpenSSL to crash, causing a denial of service. In some cases a malicious server could also cause a client compiled with OpenSSL to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-21 13:40:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1826338    
Bug Blocks: 1823663    

Description Huzaifa S. Sidhpurwala 2020-04-14 08:23:44 UTC 
As per upstream advisory:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.
Comment 3 Huzaifa S. Sidhpurwala 2020-04-14 09:05:32 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: Bernd Edlinger
Comment 4 Huzaifa S. Sidhpurwala 2020-04-14 09:12:29 UTC 
It seems like this flaw was caused by the commit https://github.com/openssl/openssl/commit/5235ef44b93306a14d0b6c695b13c64b16e1fdec which is a part of openssl-1.1.1d, older versions of openssl are therefore not affected by this flaw.
Comment 5 Huzaifa S. Sidhpurwala 2020-04-14 09:51:14 UTC 
The OpenSSL peer loops through the through the list of "signature_algorithms_cert" received from the client and attempts to lookup each one in the internal table. When the peer sends a value which is not in the list, the lookup returns NULL, but we unconditionally dereference the lookup result for the comparison, leading to an application crash triggerable by an unauthenticated client.

Since we will not be able to say anything about algorithms we don't recognize, the patch treats NULL return from lookup as "does not match".

Only TLS 1.3 is affected in the code, since only "signature_algorithm_cert" is supported for TLS 1.3
Comment 10 Ted Jongseok Won 2020-04-15 05:58:26 UTC 
Statement:

This flaw was introduced by the following OpenSSL commit:
https://github.com/openssl/openssl/commit/5235ef44b93306a14d0b6c695b13c64b16e1fdec
which was shipped as a part of OpenSSL-1.1.1d, therefore older versions are not affected by this flaw. 
OpenSSL packages shipped with Red Hat Products are NOT affected by this flaw.

The affected  `signature_algorithm_cert`  check which causes the flaw is only applied to TLS 1.3, therefore older versions of TLS are not be affected by this flaw.

Also, the vulnerable `SSL_check_chain()` is not called directly from libssl, but may be used by the application inside a callback (e.g., client_hello or cert callback) to verify that a candidate certificate chain will be acceptable to the client. Thus, applications that use openssl without invoking the `SSL_check_chain()` function are not vulnerable to this flaw.

Lastly, no Red Hat Middleware products ship the affected version of OpenSSL. However, some components, such as Netty and Wildfly, may be configured by customers to use any OpenSSL version. Customers who have configured their setups to use a vulnerable version of OpenSSL are advised to upgrade to the latest unaffected version immediately.
Comment 11 Huzaifa S. Sidhpurwala 2020-04-17 07:25:25 UTC 
Mitigation:

Applications compiled with OpenSSL >= 1.1.1d that either use openssl without invoking the `SSL_check_chain()` function or do not use TLS 1.3 are not vulnerable to this flaw.
Comment 12 Mark Cooper 2020-04-21 00:22:42 UTC 
OpenShift ServiceMesh is not vulnerable to this flaw. 

The component servicemesh-proxy, dynamically links to the RHEL version (RHEL 8.1, openssl-libs 1.1.1c) and does not invoke the vulnerable function, SSL_check_chain().
Comment 13 Huzaifa S. Sidhpurwala 2020-04-21 13:15:01 UTC 
External References:

https://www.openssl.org/news/secadv/20200421.txt
Comment 14 Huzaifa S. Sidhpurwala 2020-04-21 13:17:14 UTC 
Upstream patch:
https://github.com/openssl/openssl/commit/a87f3fe01a5a894aa27ccd6a239155fd129988e4
https://github.com/openssl/openssl/commit/3656c08ab4b1b892730cb5e808b6f4298b08a2e6