Bug 1941547 (CVE-2021-3450)

Summary: CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cfergeau, crypto-team, csutherl, dblechte, ddelcian, dfediuck, dueno, dvolkov, eedri, elima, erik-fedora, fidencio, francois.poirotte, gzaronik, hkario, jclere, jwon, kaycoth, krathod, ktietz, marcandre.lureau, mgoldboi, michal.skrivanek, mturk, mvanderw, pjindal, randy, redhat-bugzilla, rh-spice-bugs, rjones, sahana, sbonazzo, security-response-team, sherold, ssorce, szappis, tm, wwinter, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.1.1k Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openssl. The flag that enables additional security checks of certificates present in a certificate chain was not enabled allowing a confirmation step to verify that certificates in the chain are valid CA certificates is bypassed. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-30 17:35:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1941891, 1941892, 1941893, 1941894, 1943176, 1943177, 1943892    
Bug Blocks: 1941549    

Description Huzaifa S. Sidhpurwala 2021-03-22 10:53:33 UTC 
As per upstream:

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates withexplicitly encoded elliptic curve parameters in the chain was added to the strict checks.

An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then a subsequent check that the certificate is consistent with that purpose also checks that it is a valid CA. Therefore where a purpose is set the certificate chain will still be rejected even when
the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overriden by an application.

Affected applications explicitly set the X509_V_FLAG_X509_STRICT verification flag and either do not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose to make it not set.
Comment 1 Huzaifa S. Sidhpurwala 2021-03-22 10:53:37 UTC 
Acknowledgments:

Name: the OpenSSL Project
Upstream: Benjamin Kaduk,  Xiang Ding and others (Akamai)
Comment 10 Huzaifa S. Sidhpurwala 2021-03-25 14:24:20 UTC 
External References:

https://www.openssl.org/news/secadv/20210325.txt
Comment 11 Huzaifa S. Sidhpurwala 2021-03-25 14:25:07 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1943176]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1943177]
Comment 12 Huzaifa S. Sidhpurwala 2021-03-25 14:26:36 UTC 
Upstream commit: https://github.com/openssl/openssl/commit/2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
Comment 13 Huzaifa S. Sidhpurwala 2021-03-25 14:26:42 UTC 
* deleted *
Comment 18 errata-xmlrpc 2021-03-29 19:40:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1024 https://access.redhat.com/errata/RHSA-2021:1024
Comment 22 Product Security DevOps Team 2021-03-30 17:35:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3450
Comment 25 Huzaifa S. Sidhpurwala 2021-04-01 03:20:43 UTC 
Statement:

This flaw affects openssl  1.1.1h  and above only, older versions are not affected by this flaw.
Comment 26 Huzaifa S. Sidhpurwala 2021-04-01 03:20:47 UTC 
Mitigation:

The following conditions have to be met for an application compiled with OpenSSL to be vulnerable:

- the CA trusted by the system must issue or have issued certificates that don't include basic Key Usage extension.
- the CA certificates must not have path length constraint set to a value that would limit the certificate chain to just the subscriber certificates (i.e. CA certificate just above the subscriber cert must not have 0 as the path length constraint, and any CA above it must not have it increase by more than 1 for every level in the hierarchy)
- the attacker needs to have access to such subscriber certificate (without basic Key Usage and linking up to CAs without path length constraints or not effectively constraining certs issued by this certificate)
- the application under attack must use the X509_V_FLAG_X509_STRICT flag and must not set purpose for the certificate verification

if any of the above conditions are not met then the application compiled with OpenSSL is not vulnerable to the CVE.
Comment 33 errata-xmlrpc 2021-04-14 11:44:47 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:1189 https://access.redhat.com/errata/RHSA-2021:1189
Comment 34 errata-xmlrpc 2021-04-14 14:34:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:1196 https://access.redhat.com/errata/RHSA-2021:1196
Comment 35 errata-xmlrpc 2021-04-14 14:45:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.4 on RHEL 7
  Red Hat JBoss Web Server 5.4 on RHEL 8

Via RHSA-2021:1195 https://access.redhat.com/errata/RHSA-2021:1195
Comment 36 errata-xmlrpc 2021-04-14 15:54:20 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2021:1199 https://access.redhat.com/errata/RHSA-2021:1199
Comment 37 errata-xmlrpc 2021-04-14 16:00:07 UTC 
This issue has been addressed in the following products:

  JBCS 2.4.37 SP7

Via RHSA-2021:1200 https://access.redhat.com/errata/RHSA-2021:1200
Comment 38 errata-xmlrpc 2021-04-14 17:57:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:1203 https://access.redhat.com/errata/RHSA-2021:1203
Comment 39 errata-xmlrpc 2021-04-14 17:58:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2021:1202 https://access.redhat.com/errata/RHSA-2021:1202